Control 17.9: Train Workforce Members on Identifying and Reporting Incidents

Train workforce members to be able to identify the most common indicators of an incident and be able to report such an incident.

Category

Procedural

Purpose

As with most incidents, the earlier a security incident is identified and a response is initiated, the less severe the incident will likely become. It is also true that earlier detection often leads to more information being available about the incident. This information may be key to stopping an ongoing attack and to understanding certain details such as how the attack was conducted and what impact it caused. One of the key details required in many states laws is information on how the breach occurred, how many people were impacted, and what was done to remedy the attack. Reducing the impact and understanding the details of the breach are both much more achievable with earlier detection and response. Employees are key to this early detection. Employees should be trained on the types of things to look for and how to report suspicious behavior or events.

Automation

This Sub-Control is generally not automatable. Network appliances can be put into place such as a firewall, intrusion detection and prevention system, or an endpoint protection suite (e.g., antivirus) to stop incidents from occurring in the first place. Third-party organizations offer platforms that can help to train users to recognize the symptoms of an incident.

Guidance and Tools

It is important not to overwhelm workforce members or expect them to be security experts. It is unreasonable to expect them to all become cybersecurity experts, but i important they report suspicious happenings and occurrences. The key is identifying key events and continuing to remind them to report these if seen. Here is a non-exhaustive list of some events to train employees to report:

  • Emails asking for sensitive information that are out of context or from unknown senders.
  • Emails from an unknown sender who is asking the person to click a link.
  • Phone calls from unknown, unverifiable source asking for sensitive information or to make changes to their account.
  • Unknown people in areas of the office designated for employees only.
  • Sensitive data is observed in a non-secure physical or digital location.
  • Removable media that is not labeled and not claimed by an employee.
  • Evidence of unknown programs running on their computer, such as a Windows User Account Control (UAC) prompt for an unrecognizable program.