Compliance - NIST 800-171 - Awareness and Training
One of the greatest threats to information security comes from within an organization. Insider threats have been noted as one of the most dangerous since these people are already quite familiar with the infrastructure. It not always concerns disgruntled employees and corporate spies who are a threat but often, the non-malicious, uninformed employee.
Uninformed users can do harm to a network by visiting websites infected with malware, responding to phishing e-mails, storing their login information in an unsecured location, or even giving out sensitive information over the phone when exposed to social engineering.
Thus, one of the best ways to make sure employees will not make costly errors in regard to information security is to institute company-wide security-awareness training initiatives that include, but are not limited to classroom style training sessions, security awareness website(s), helpful hints via e-mail, or even posters. These methods can help ensure employees have a solid understanding of company security policy, procedure and best practices.
A guideline from NIST provides following security requirements for awareness and training (including basic and derived requirements) for protecting the confidentiality of CUI (Controlled Unclassified Information) in nonfederal information systems and organizations. The basic security requirements are obtained from FIPS Publication 200, which provides the high-level and fundamental security requirements for federal information and information systems. The derived security requirements, which supplement the basic security requirements, are taken from the security controls in NIST Special Publication 800-53.
Basic Security Requirements:
3.2.1 Ensure that managers, systems administrators, and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of organizational information systems.
3.2.2 Ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.
Derived Security Requirements:
3.2.3 Provide security awareness training on recognizing and reporting potential indicators of insider threat.