Navigate

AT-2 (1)

AT-2 (1): Practical Exercises

The organization includes practical exercises in security awareness training that simulate actual cyber attacks.

Supplemental

Practical exercises may include, for example, no-notice social engineering attempts to collect information, gain unauthorized access, or simulate the adverse impact of opening malicious email attachments or invoking, via spear phishing attacks, malicious web links.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
None

Related Controls

The controls below (if any) were marked by NIST as being related to AT-2 (1).

Control	Description
CA-2	The organization: CA-2a.: Develops a security assessment plan that describes the scope of the assessment including: CA-2a.1.: Security controls and control enhancements under assessment; CA-2a.2.: Assessment procedures to be used to determine security control effectiveness; and CA-2a.3.: Assessment environment, assessment team, and assessment roles and responsibilities; CA-2b.: Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements; CA-2c.: Produces a security assessment report that documents the results of the assessment; and CA-2d.: Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles].
CA-7	The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: CA-7a.: Establishment of [Assignment: organization-defined metrics] to be monitored; CA-7b.: Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring; CA-7c.: Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; CA-7d.: Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy; CA-7e.: Correlation and analysis of security-related information generated by assessments and monitoring; CA-7f.: Response actions to address results of the analysis of security-related information; and CA-7g.: Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].
CP-4	The organization: CP-4a.: Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan; CP-4b.: Reviews the contingency plan test results; and CP-4c.: Initiates corrective actions, if needed.
IR-3	The organization tests the incident response capability for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the incident response effectiveness and documents the results.

Enhancements

The controls below (if any) add on to the requirements of AT-2 (1).

Control	Description
No controls

Related CCIs

The CCIs below are tied to AT-2 (1).

CCI	Definition
CCI-000107	The organization includes practical exercises in security awareness training that simulate actual cyber attacks.