An organization should establish an effective cybersecurity training program for personnel having authorized access to critical cyber assets.
Create a training plan for everyone who works at the organization. The training plan should address (but is not limited to) the following:
- Articulate a culture of security awareness, collaboration, and buy-in among management, staff, clients, and stakeholders.
- Describe common security risks and how to avoid them.
- Describe policies, access controls, and procedures developed for critical electronic devices and communication networks.
- Describe the proper use of critical electronic devices and communication networks.
- Describe the proper handling of critical information.
- Present action plans and procedures to recover or reestablish critical electronic devices and communication networks.
- Address the risks resulting from insecure behavior of employees.