AT-02 Security Awareness

Control: The organization provides basic security awareness training to all information system users (including managers and senior executives) before authorizing access to the system, when required by system changes, and [Assignment: organization-defined frequency, at least annually] thereafter.

Supplemental Guidance: The organization determines the appropriate content of security awareness training based on the specific requirements of the organization and the information systems to which personnel have authorized access. The organization’s security awareness program is consistent with the requirements contained in C.F.R. Part 5 Subpart C (5 C.F.R 930.301) and with the guidance in NIST Special Publication 800-50.

Control Enhancements: (0) None.

Baseline: LOW AT-2 MOD AT-2 HIGH AT-2

Family: Awareness And Training

Class: Operational

ISO 17799 mapping: 6.2.3, 8.2.2, 10.4.1, 11.7.1, 13.1.1, 14.1.4, 15.1.4

COBIT 4.1 mapping: PO7.4

PCI-DSS v2 mapping: 12.6.1a