>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

AT-2(3)Literacy Training and Awareness | Social Engineering and Mining

IL4 Mod
IL4 High
IL5
IL6

>Control Description

Provide literacy training on recognizing and reporting potential and actual instances of social engineering and social mining.

>DoD Impact Level Requirements

No specific parameter values or requirements for this impact level.

>Discussion

Social engineering is an attempt to trick an individual into revealing information or taking an action that can be used to breach, compromise, or otherwise adversely impact a system. Social engineering includes phishing, pretexting, impersonation, baiting, quid pro quo, thread-jacking, social media exploitation, and tailgating. Social mining is an attempt to gather information about the organization that may be used to support future attacks.

Literacy training includes information on how to communicate the concerns of employees and management regarding potential and actual instances of social engineering and data mining through organizational channels based on established policies and procedures.

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of AT-2(3) (Social Engineering And Mining)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring AT-2(3)?
  • How frequently is the AT-2(3) policy reviewed and updated, and what triggers policy changes?
  • What training or awareness programs ensure personnel understand their responsibilities related to AT-2(3)?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce AT-2(3) requirements.
  • What automated tools, systems, or technologies are deployed to implement AT-2(3)?
  • How is AT-2(3) integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce AT-2(3) requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of AT-2(3)?
  • What audit logs, records, reports, or monitoring data validate AT-2(3) compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of AT-2(3) effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate AT-2(3) compliance?

Ask AI

Configure your API key to use AI features.