AT.L2-3.2.1—Role-Based Risk Awareness
Level 2
800-171: 3.2.1
>Control Description
Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What is your security awareness program governance structure?
- •How do you identify and define security risks for different roles?
- •What is your process for developing and approving awareness training content?
- •How frequently do you review and update your awareness training program?
- •Who is responsible for overseeing the security awareness program?
Technical Implementation:
- •What learning management system (LMS) delivers awareness training?
- •How do you track training completion and compliance?
- •What technologies deliver role-specific security content?
- •How is training content delivered to different user populations?
- •What tools generate training completion reports?
Evidence & Documentation:
- •What training materials and curricula can you provide?
- •What training completion records and certificates demonstrate compliance?
- •What training attendance rosters and sign-in sheets can you show?
- •What LMS reports show training assignment and completion?
- •What documentation shows training content is current and role-appropriate?
- •What evidence demonstrates initial and refresher training?
Ask AI
Configure your API key to use AI features.