Information Technology Reference
In-Depth Information
Category/
Subcategory/
Element
Control
Reference
Control Summary
Interpretation
AT-2
Security awareness
The organization provides basic
security awareness training to all
information system users
(including managers and senior
executives) before authorizing
access to the system, when
required by system changes and
[assignment: organization-
defined frequency, at least
annually] thereafter.
AT-3
Security training
The organization identifies
personnel who have significant
information system security roles
and responsibilities during the
system development life cycle,
documents those roles and
responsibilities, and provides
appropriate information system
security training: (i) before
authorizing access to the system
or performing assigned duties; (ii)
when required by system
changes; and (iii) [assignment:
organization-defined frequency]
thereafter.
AT-4
Security training
records
The organization documents and
monitors individual information
system security training activities,
including basic security
awareness training and specific
information system security
training.
AT-5
Contacts with
security groups and
associations
The organization establishes and
maintains contacts with special
interest groups, specialized
forums, professional associations,
news groups, or peer groups of
security professionals in similar
organizations to stay up to date
with the latest recommended
security practices, techniques, and
technologies and to share the
latest security-related information,
including threats, vulnerabilities,
and incidents.
