Awareness and training
Estimated reading time: 2 minutesAT-1 Security Awareness And Training Policy And Procedures
Description
The organization:
- Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
- A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
- Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and
- Reviews and updates the current:
- Security awareness and training policy [Assignment: organization-defined frequency]; and
- Security awareness and training procedures [Assignment: organization-defined frequency].
Control Information
Responsible role(s) - Organization
AT-2 Security Awareness Training
Description
The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):
- As part of initial training for new users;
- When required by information system changes; and
- [Assignment: organization-defined frequency] thereafter.
Control Information
Responsible role(s) - Organization
AT-2 (1) Practical Exercises
Description
The organization includes practical exercises in security awareness training that simulate actual cyber attacks.
Control Information
Responsible role(s) - Organization
AT-2 (2) Insider Threat
Description
The organization includes security awareness training on recognizing and reporting potential indicators of insider threat.
Control Information
Responsible role(s) - Organization
AT-3 Role-Based Security Training
Description
The organization provides role-based security training to personnel with assigned security roles and responsibilities:
- Before authorizing access to the information system or performing assigned duties;
- When required by information system changes; and
- [Assignment: organization-defined frequency] thereafter.
Control Information
Responsible role(s) - Organization
AT-3 (1) Environmental Controls
Description
The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of environmental controls.
Control Information
Responsible role(s) - Organization
AT-3 (2) Physical Security Controls
Description
The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of physical security controls.
Control Information
Responsible role(s) - Organization
AT-3 (3) Practical Exercises
Description
The organization includes practical exercises in security training that reinforce training objectives.
Control Information
Responsible role(s) - Organization
AT-3 (4) Suspicious Communications And Anomalous System Behavior
Description
The organization provides training to its personnel on [Assignment: organization-defined indicators of malicious code] to recognize suspicious communications and anomalous behavior in organizational information systems.
Control Information
Responsible role(s) - Organization
AT-4 Security Training Records
Description
The organization:
- Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and
- Retains individual training records for [Assignment: organization-defined time period].
Control Information
Responsible role(s) - Organization