The NIST Framework lists “awareness and training” as a key component of network protection. But how do you go about it? For its part, NIST recommends role-based training. In theory, your company should incorporate its most important physical, administrative, and technical control requirements into customized privacy and security training. That training should be broken down into five different classes of users: general users, privileged users, senior executives, physical and information security personnel, and third-parties (such as customers and vendors). In terms of frequency, training should be continuous, starting with new users, recurring at least annually, and providing out-of-cycle instruction in the event of significant information systems changes or policy revisions.