User and Role-Based Training

---

• topics to cover:
  • Overview of the organization’s security policies and the penalties for noncompliance
  • Incident identification and reporting procedures
  • Site security procedures, restrictions, and advice, including safety drills, escorting guests, use of secure areas, and use of personal devices
  • Data handling, including document confidentiality, PII, backup, encryption, and so on
  • Password and account management plus security features of PCs and mobile devices
  • Awareness of social engineering and malware threats, including phishing, website exploits, and spam plus alerting methods for new threats
  • Secure use of software such as browsers and email clients plus appropriate use of Internet access, including social networking sites
• should also be a system for identifying staff performing security-sensitive roles and grading the level of training and education required

Info

The NIST National Initiative for Cybersecurity Education framework sets out knowledge, skills, and abilities (KSAs) for different cybersecurity roles.

• Security awareness programs are described in SP800-50