Issue link: https://insights.oneneck.com/i/1199907
oneneck.com/it-security-services 15 Section Four Control 14 – Security Awareness and Skills Training Cyber defense is more than just a technical challenge — it's a human challenge as well. People will always be part of your organization, and attackers are highly skilled and very successful at exploiting them. You need to stay one step ahead of their exploits and take action to protect yourself. Control 14 helps you implement a security and awareness training program that will empower your employees to help you identify, manage and monitor risks. You'll want to train your workforce on how to use secure authentication tools, identify and avoid social engineering attacks, handle sensitive data properly, understand and avoid key causes of unintentional data exposure, and identify and report incidents. IG2s should develop and deliver training that targets existing skills gaps and ensure that the security awareness program is updated at least annually. This includes training workforce to understand how to verify and report out-of-date software patches or any failures in automated processes and tools and how to properly notify IT personnel of these failures. Training workers on the dangers of connecting to, and transmitting data over, insecure networks for enterprise activities is paramount and if the enterprise has remote workers, training must include guidance to ensure that all users securely configure their home network infrastructure. Control 15 – Service Provider Management In our modern, connected world, enterprise relies on vendors and partners to help manage their data or rely on third-party infrastructure for core applications or functions. While reviewing the security of third parties has been a task performed for decades, there is not a universal standard for assessing security; and many service providers are being audited by their customers multiple times a month, causing impacts to their own productivity. Control 15 offers several guidelines on how companies can monitor and evaluate services providers. Establish and maintain an inventory of service providers and review and update the inventory annually, or when significant enterprise changes occur that could impact this Safeguard. IG2s should also classify service providers via characteristics such as data sensitivity, data volume, availability requirements, applicable regulations, inherent risk, and mitigated risk. They should also establish and maintain a service provider management policy that includes classification, inventory, assessment, monitoring, and decommissioning of service providers.