An organization should establish an effective cybersecurity training program for personnel having authorized access to critical cyber assets.
Create a training plan for everyone who works at the organization. The training plan should address (but is not limited to) the following:
Articulate a culture of security awareness, collaboration, and buy-in among management, staff, clients, and stakeholders.
Describe common security risks and how to avoid them.
Describe policies, access controls, and procedures developed for critical electronic devices and communication networks.
Describe the proper use of critical electronic devices and communication networks.
Describe the proper handling of critical information.
Present action plans and procedures to recover or reestablish critical electronic devices and communication networks.
Address the risks resulting from insecure behavior of employees.