AT-3(3): Practical Exercises

Control Family:

Awareness And Training

CSF v1.1 References:

PF v1.0 References:


(Not part of any baseline)

Next Version:

Control Statement

The organization includes practical exercises in security training that reinforce training objectives.

Supplemental Guidance

Practical exercises may include, for example, security training for software developers that includes simulated cyber attacks exploiting common software vulnerabilities (e.g., buffer overflows), or spear/whale phishing attacks targeted at senior leaders/executives. These types of practical exercises help developers better understand the effects of such vulnerabilities and appreciate the need for security coding standards and processes.