AT - Awareness and Training
- Controls Count: 1
- Controls IDs: AT-2 (3)
Controls
AT-2 (3): Social Engineering and Mining
Provide literacy training on recognizing and reporting potential and actual instances of social engineering and social mining.
Social engineering is an attempt to trick an individual into revealing information or taking an action that can be used to breach, compromise, or otherwise adversely impact a system. Social engineering includes phishing, pretexting, impersonation, baiting, quid pro quo, thread-jacking, social media exploitation, and tailgating. Social mining is an attempt to gather information about the organization that may be used to support future attacks. Literacy training includes information on how to communicate the concerns of employees and management regarding potential and actual instances of social engineering and data mining through organizational channels based on established policies and procedures.
literacy training on recognizing potential and actual instances of social engineering is provided;
literacy training on reporting potential and actual instances of social engineering is provided;
literacy training on recognizing potential and actual instances of social mining is provided;
literacy training on reporting potential and actual instances of social mining is provided.
System security plan
privacy plan
literacy training and awareness policy
procedures addressing literacy training and awareness implementation
literacy training and awareness curriculum
literacy training and awareness materials
other relevant documents or records
Organizational personnel who receive literacy training and awareness
organizational personnel with responsibilities for literacy training and awareness
organizational personnel with information security and privacy responsibilities