AT.L3-3.2.1e Advanced Threat Awareness

Provide awareness training upon initial hire, following a significant cyber event, and at least annually, focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors; update the training at least annually or when there are significant changes to the threat.

Source: NIST SP 800-172 3.2.1e

Discussion: An effective method to detect APT activities and reduce the effectiveness of those activities is to provide specific awareness training for individuals. A well-trained and security-aware workforce provides another organizational safeguard that can be employed as part of a defense-in-depth strategy to protect organizations against malicious code injections via email or web applications. Threat awareness training includes educating individuals on the various ways that APTs can infiltrate organizations, including through websites, emails, advertisement pop-ups, articles, and social engineering. Training can include techniques for recognizing suspicious emails, the use of removable systems in non-secure settings, and the potential targeting of individuals by adversaries outside the workplace. Awareness training is assessed and updated periodically to ensure that the training is relevant and effective, particularly with respect to the threat since it is constantly, and often rapidly, evolving. [SP 800-50] provides guidance on security awareness and training programs.

Assessment Objectives:

Determine if:

Examine: [SELECT FROM: Awareness training policy; procedures addressing awareness training implementation; appropriate codes of federal regulations; awareness training curriculum; awareness training materials; security plan; training records; threat information on social engineering, advanced persistent threat actors, suspicious behaviors, and breaches; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel responsible for awareness training; organizational personnel responsible for information security; organizational personnel comprising the general system user community].

Test: [SELECT FROM: Mechanisms managing awareness training; mechanisms managing threat information].

SPRS Score: 1

POA&M Allowed: Yes