The Compliance User Responsibility control from the CSA CCM aims to ensure employees understand and fulfill their duties in maintaining awareness of and adhering to organizational policies, procedures, and legal/regulatory obligations. Organizations should implement training and awareness programs to regularly reinforce these responsibilities. Failure to do so could lead to non-compliance issues and legal exposure.
Where did this come from?
This control comes from the CSA Cloud Controls Matrix v4.0.10 released on 2023-09-26. You can find more details and download the latest version of the CCM here.
The CCM provides a comprehensive set of cloud security controls mapped to various standards and regulations. It is considered an authoritative reference by many organizations. For additional context, check out this Introductory Guide to the CCM.
Who should care?
Several roles have a vested interest in this control:
- CISOs and security leaders responsible for overseeing the organization's security awareness program
- Compliance officers tasked with ensuring adherence to policies, standards and regulations
- HR professionals who handle onboarding and ongoing training of employees
- Department managers accountable for their teams' security and compliance posture
- All employees who need to understand and follow the rules
What is the risk?
Without regular awareness training, employees may not fully grasp or keep up with their security and compliance duties. This could lead to several adverse outcomes:
- Unintentional insider threats from staff making mistakes or taking ill-advised actions
- Intentional malicious activity by rogue employees taking advantage of weak oversight
- Regulatory violations resulting in fines, sanctions, reputational damage, etc.
- Contractual breaches and liability from non-compliance with customer/partner obligations
While training alone cannot eliminate these risks entirely, it is an essential control for reducing their likelihood and impact. Studies show that organizations with mature awareness programs suffer fewer and less costly incidents.
What's the care factor?
For most organizations, this control warrants a moderately high to high priority. Compliance failures can have severe consequences. And employees are the last line of defense.
However, the risk varies based on factors like:
- The sensitivity of the data and systems employees can access
- Applicability of specific legal/regulatory requirements (e.g. HIPAA, GDPR, SOX)
- Maturity of existing training and awareness controls
Security leaders should assess their risk profile to determine an appropriate level of care and investment in this area. At a minimum, all organizations should implement a basic awareness program covering essential policies and standards.
When is it relevant?
Employee awareness is important in virtually all situations. Some key scenarios include:
- Onboarding of new hires
- Significant changes to policies, procedures, or job roles/duties
- Mergers and acquisitions that introduce new staff or requirements
- Shifts to remote/hybrid work arrangements
- Emergence of new threats targeting employees (e.g. social engineering)
There may be edge cases where very small teams with a high degree of security competence can get by with less formal training. But this is more the exception than the rule, especially for cloud-hosted workloads.
What are the trade offs?
Effective awareness programs require an ongoing investment of time and resources to develop and deliver training content, track completion, gather feedback, etc.
Pulling employees away from their regular duties to complete training has a productivity cost. And there is a risk of "training fatigue" if the content is too dry or repetitive.
However, these costs are generally far outweighed by the benefits of avoiding disruptive and expensive security/compliance incidents. Having well-informed staff also builds customer trust and competitive advantage.
How to make it happen?
Here's a step-by-step approach to implementing this control:
- Define requirements:
- Identify applicable policies, standards, laws, and regulations
- Map these to specific employee roles and responsibilities
- Develop training content:
- Create engaging materials tailored to different audiences
- Use a variety of formats (e.g. videos, quizzes, phishing simulations)
- Cover what to do AND why it matters
- Make it real with relevant examples and scenarios
- Deliver training:
- Assign mandatory courses to all employees at onboarding & annually
- Supplement with optional micro-learning content throughout the year
- Provide resources for self-study and reference
- Measure effectiveness:
- Track course completion rates and assessment scores
- Survey employees on knowledge gains and behavior changes
- Monitor incident metrics for signs of improvement
- Iterate and improve:
- Adjust content and approach based on feedback and results
- Stay current with evolving risks and requirements
- Document everything:
- Maintain records of training activities for audit & compliance evidence
There are many vendors that provide comprehensive security awareness platforms to streamline the process. But even a simple homegrown program using open source content is better than nothing.
What are some gotchas?
A few things to watch out for:
- Failing to get leadership buy-in and model good security behaviors
- Underestimating the time required to develop quality training content
- Pushing training without explaining the context and reasons behind it
- Treating it as a one-and-done annual check box exercise
- Not having a process to handle exceptions (e.g. staff on leave)
- Lack of engaging hands-on learning activities
- Overly technical or confusing content not tailored to each audience
Organizations should also beware of any specific technical pre-requisites for deploying awareness programs and tracking completion, such as:
- LMS/training portal system requirements
- SSO integration for auto-enrollment of users
- Administrator privileges to assign courses and monitor progress
Consult the documentation of your chosen training tools and platforms for details.
What are the alternatives?
While there is no direct substitute for employee awareness training, some complementary approaches include:
- Appointing security champions to promote best practices within teams
- Instituting consequences (positive and negative) for security behaviors
- Using behavioral analytics tools to detect & respond to risky user activity
- Implementing technical controls to enforce policies and standards
However, these should be pursued in addition to, not instead of, training. There is no silver bullet.
Explore further
For a deeper dive on this topic, check out:
- NIST SP 800-50 - Building an Information Technology Security Awareness and Training Program
- SANS Security Awareness Maturity Model
- CIS Control 14 - Security Awareness and Skills Training
- CAIQ - Consensus Assessments Initiative Questionnaire
Hopefully this article has conveyed the importance of the HRS-13 control and provided practical guidance for implementation. But don't stop here - make employee awareness an integral part of your organization's security culture and program. The stakes are too high to leave it to chance.