Control: The organisation provides basic security awareness training to information system users (including managers, senior executives, and contractors):
C. `{`Assignment: organisation-defined frequency`}` thereafter.
Supplemental Guidance: Organisations determine the appropriate content of security awareness training and security awareness techniques based on the specific organisational requirements and the information systems to which personnel have authorised access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques can include, for example, displaying posters, offering supplies inscribed with security reminders, generating email advisories/notices from senior organisational officials, displaying logon screen messages, and conducting information security awareness events.
Security Awareness Control Enhancements:
AT-2 (1) Security Awareness - Practical Exercises
The organisation includes practical exercises in security awareness training that simulate actual cyber attacks.
Supplemental Guidance: Practical exercises may include, for example, no-notice social engineering attempts to collect information, gain unauthorised access, or simulate the adverse impact of opening malicious email attachments or invoking, via spear phishing attacks, malicious web links.
AT-2 (2) Security Awareness - Insider Threat
The organisation includes security awareness training on recognising and reporting potential indicators of insider threat.
Supplemental Guidance: Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction, attempts to gain access to information not required for job performance, unexplained access to financial resources, bullying or sexual harassment of fellow employees, workplace violence, and other serious violations of organisational policies, procedures, directives, rules, or practices. Security awareness training includes how to communicate employee and management concerns regarding potential indicators of insider threat through appropriate organisational channels in accordance with established organisational policies and procedures.