organization, as well as their role in those procedures.
Config/Hygiene: Conduct periodic exercises to verify that employees and contractors are fulfilling their information security duties, by conducting tests to see whether employees will click on a link from suspicious e-mail or provide sensitive information on the telephone without following appropriate procedures for authenticating a caller.
Procedures and tools for implementing this control:
The key to upgrading skills is measurement – not with certification examinations, but with assessments that show both the employee and the employer where knowledge is sufficient and where the gaps are. Once the gaps are identified, those employees who have the requisite skills and knowledge can be called upon to mentor the employees who need skills improvement or the organization can develop training programs that directly fill the gaps and maintain employee readiness.
This document has been developed through the collaboration of a diverse set of security experts. While there is no such thing as absolute protection, proper implementation of the security controls identified in this document will ensure that an organization is protecting against the most significant attacks. As attacks change, as additional controls or tools become available, or as the state of common security practice advances, this document will be updated to reflect what is viewed by the collaborating authors as the most important security controls to defend against cyber attacks.