Do high-risk roles (finance, HR, exec assistants, IT admins) receive role-specific anti-phishing training?
Demonstrate that high-risk role occupants receive documented, role-specific anti-phishing training that addresses attack vectors unique to their access and responsibilities.
Description
What this control does
This control requires organizations to deliver specialized anti-phishing training tailored to high-risk roles whose compromise would yield significant access, trust, or financial damage. Finance personnel, HR staff, executive assistants, and IT administrators receive instruction beyond baseline awareness, addressing role-specific attack vectors such as wire-transfer fraud, payroll redirection, executive impersonation (whaling), and credential harvesting targeting privileged accounts. Training includes simulated phishing exercises that replicate real-world attacks targeting these roles, with metrics tracked separately from general user populations. Organizations maintain training curricula, attendance records, and phishing simulation results segmented by role to demonstrate heightened protection for positions attackers preferentially target.
Control objective
What auditing this proves
Demonstrate that high-risk role occupants receive documented, role-specific anti-phishing training that addresses attack vectors unique to their access and responsibilities.
Associated risks
Risks this control addresses
- Executive assistants fall victim to calendar-based spear-phishing or CEO fraud, enabling attackers to schedule fraudulent meetings or access confidential communications
- Finance personnel approve fraudulent wire transfers or vendor payment changes via business email compromise attacks targeting invoicing workflows
- HR staff disclose W-2 data, salary information, or personally identifiable information in response to spoofed executive requests
- IT administrators surrender privileged credentials to credential-harvesting sites disguised as legitimate vendor portals or MFA enrollment pages
- Attackers exploit the elevated trust afforded to compromised high-risk accounts to conduct lateral phishing campaigns that bypass suspicion
- Generic awareness training fails to address the sophisticated social-engineering tactics deployed against high-value targets, leaving role-specific attack surfaces undefended
- Organizations lack metrics to evaluate whether high-risk populations demonstrate lower susceptibility than general user populations, masking control effectiveness gaps
Testing procedure
How an auditor verifies this control
- Obtain the organization's definition of high-risk roles and compile a roster of current personnel occupying finance, HR, executive assistant, IT administrator, and similarly privileged positions.
- Request the anti-phishing training curricula, lesson plans, or module descriptions for both baseline user training and role-specific supplemental training.
- Review role-specific training materials to verify they explicitly address attack scenarios targeting that role, such as W-2 scams for HR, wire-transfer fraud for finance, and credential harvesting for IT administrators.
- Obtain training completion records for the past 12 months and confirm all identified high-risk personnel have completed both baseline and role-specific anti-phishing training.
- Retrieve phishing simulation campaign results segmented by role or user group, confirming high-risk populations are targeted with role-appropriate simulated attacks.
- Interview training coordinators or security awareness leads to validate how role-specific scenarios are developed, updated, and delivered separately from general training.
- Select a sample of 10–15 high-risk individuals and cross-reference training records, phishing simulation participation, and role assignment to verify alignment and completeness.
- Examine evidence of training effectiveness measurement specific to high-risk cohorts, such as click rates, reporting rates, or comparative analysis against baseline populations.