An awareness and training policy provides the foundation for organization-wide cybersecurity communications. The policy should address all levels of the organization from a management (CEO to line employee) and technical (systems, network, database administrator, and so on) perspective. The policy should also address the types of training that the organization will conduct, as well as its recurrence.

An awareness and training policy should address:

• Ensuring that managers and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable laws, directives, policies, standards, instructions, regulations, or procedures related to the security of organizational information systems
• Ensuring that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities
• Providing security awareness training on recognizing and reporting potential indicators of an insider threat.