CSA CCM HRS-12
Personal and Sensitive Data Awareness and Training

Data is the lifeblood of any organization, and some of the most critical data is personal and sensitive information about employees, customers, and partners. To ensure this sensitive data stays safe, it's crucial that everyone with access to it receives proper security awareness training. This training should cover their responsibilities, the procedures they need to follow, and regular updates to stay current with changes in policies and processes.

Where did this come from?

This control comes from the CSA Cloud Controls Matrix v4.0.10, released on 2023-09-26. You can download the full Cloud Controls Matrix here.

The Cloud Security Alliance developed these controls based on security best practices to help organizations securely adopt and use cloud services. You can find more information on data protection in the AWS documentation on data classification and protecting sensitive data in the cloud.

Who should care?

This control is relevant to several roles:

  • Human Resources managers responsible for employee training programs
  • Security teams that define data handling policies and procedures
  • Legal and compliance officers who ensure regulatory requirements are met
  • Managers of teams that handle sensitive personal data
  • Individual employees with access to personal and sensitive information

What is the risk?

Without proper training, employees may inadvertently mishandle sensitive data leading to:

  • Data breaches exposing customer and employee private information
  • Regulatory fines and legal action for compliance failures
  • Reputational damage and loss of customer trust
  • Insider threats from malicious use of data access privileges

While training alone cannot eliminate these risks entirely, it significantly reduces the likelihood of accidental data exposure and improves the chances of quickly identifying and stopping intentional misuse.

What's the care factor?

For organizations that handle large volumes of sensitive personal data, such as those in healthcare, finance, and government, providing comprehensive security training is absolutely critical. A single data breach can lead to massive fines, lawsuits, and irreparable brand damage.

Even for companies with less sensitive data, proper training is still quite important. Employees are the first line of defense and teaching them to spot threats like phishing and follow good security hygiene makes the whole organization safer.

However, the depth and frequency of training should be pragmatic and aligned with the sensitivity of the data and the risk of exposure. Over-training low-risk teams wastes time and money.

When is it relevant?

Security awareness training is most relevant when:

  • Onboarding new employees that will handle sensitive data
  • Significant changes occur to data handling policies and procedures
  • New tools and systems are adopted for processing personal data
  • High-risk data breaches make the news, presenting a teaching moment
  • Required to meet specific industry regulations and standards

It may be less relevant for teams not handling any sensitive data, though some basic security education is still valuable. And over-training teams on information not directly related to their work can lead to poor knowledge retention.

What are the trade offs?

Implementing high-quality security awareness training requires an investment of time, money and resources to:

  • Develop training content and realistic exercises
  • Deliver training sessions and track employee completion
  • Keep materials up-to-date with changing requirements
  • Audit and report on training program effectiveness

This has costs in terms of:

  • Employee time spent in training vs on primary job duties
  • Engaging subject matter experts to create training content
  • Purchasing or building learning management systems
  • Productivity slowdowns from stricter data handling procedures

However, these costs tend to be far lower than those of cleaning up after a major data breach. And good training can actually improve efficiency by teaching employees how to securely share data and collaborate.

How to make it happen?

To implement an effective data security awareness training program:

  1. Catalog and classify all datastores containing sensitive information
  2. Define user roles and map them to data access privileges
  3. Document policies and procedures for securely handling each data class
  4. Engage with HR to define training requirements for each role
  5. Work with subject matter experts to develop training content covering:
    • Regulatory compliance requirements (GDPR, HIPAA, etc)
    • Data privacy principles and policies
    • How to identify and report security incidents
    • Secure data handling procedures
    • Proper use of security tools like encryption and access control
  6. Setup a learning management system (LMS) to assign and track training
  7. Schedule initial training sessions for all roles handling sensitive data
  8. Deliver training and track completion rates, quiz scores, etc.
  9. Analyze feedback and knowledge retention to optimize future training
  10. Setup recurring training at least annually and for all new hires
  11. Establish an auditing process to assess training effectiveness
  12. Perform regular content reviews and updates to maintain relevance

What are some gotchas?

To setup the LMS and training content, you may need:

  • AWS Identity Center (SSO) permissions to integrate with the LMS
  • IAM permissions like iam:CreateRole, iam:AttachRolePolicy to setup LMS authentication
  • KMS permissions like kms:CreateKey, kms:Encrypt to protect training data at-rest
  • Lambda permissions to run serverless training functions

Some common challenges to watch out for:

  • Balancing engaging content with comprehensive coverage
  • Avoiding excessive technical jargon that confuses and bores
  • Convincing managers to prioritize training time for their teams
  • Keeping materials accessible and up-to-date as policies change
  • Tracking completion and effectiveness, especially for large orgs
  • Ensuring coverage of third-party personnel with data access

Explore the AWS Training and Certification docs for tips on delivering technical training at scale. Tools like Amazon Cognito can simplify user management for your LMS.

What are the alternatives?

For very small teams, informal "brown bag" sessions and tabletop exercises can raise awareness without investing in a full-scale LMS. Online universities like Coursera and Udemy provide off-the-shelf security training that may suffice for lower risk situations.

Some relevant compliance frameworks like PCI-DSS and NIST 800-53 provide their own training guidelines that can be adapted. And platforms like KnowBe4 offer security awareness training as a service.

Explore further

Blog

Learn cloud security with our research blog