AT.L2-3.2.1
-
Requirement
Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
-
Discussion
Organizations determine the content and frequency of security awareness training and security awareness techniques based on the specific organizational requirements and the systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques include: formal training; offering supplies inscribed with security reminders; generating email advisories or notices from organizational officials; displaying logon screen messages; displaying security awareness posters; and conducting information security awareness events. NIST SP 800-50 provides guidance on security awareness and training programs.
-
Further Discussion
Awareness training focuses user attention on security. Several techniques can be used, such as:- synchronous or asynchronous training;
- simulations (e.g., simulated phishing emails);
- security awareness campaigns (posters, reminders, group discussions); and
- communicating regular email advisories and notices to employees.
Example
You want to provide information to employees so they can identify phishing emails. To do this, you prepare a presentation that highlights basic traits, including:- suspicious-looking email address or domain name;
- a message that contains an attachment or URL; and
- a message that is poorly written and often contains obvious misspelled words.
Potential Assessment Considerations
- Do all users, managers, and system administrators receive initial and refresher training commensurate with their roles and responsibilities [c,d]?
- Do training materials identify the organizationally defined security requirements that must be met by users while interacting with the system as described in written policies, standards, and procedures [d]?
NIST 800-171A Assessment Guidance
CMMC Training
Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!