Sign in Subscribe
By devsecopsbook

Security Awareness Training Policy

Document Version: 1.0
Last Updated: July 19, 2025
Owner: Chief Information Security Officer (CISO)

1. Purpose

This policy establishes the requirements and responsibilities for providing security awareness and training to all employees, contractors, and relevant third-party personnel. The purpose is to reduce risk from human-related security threats through education and consistent reinforcement of security best practices.

2. Scope

This policy applies to all personnel who have access to DevSecOpsBook’s systems, data, applications, networks, or facilities—including employees, contractors, interns, and third-party service providers.

3. Policy Statements

3.1 Mandatory Security Awareness Training

  • All new personnel must complete security awareness training within 30 days of their start date.
  • Annual refresher training is mandatory for all personnel with system or data access.
  • Training must cover topics such as:
    • Password hygiene and multifactor authentication (MFA)
    • Phishing, social engineering, and email security
    • Acceptable use of IT resources
    • Secure handling of sensitive data (e.g., PII, customer data)
    • Reporting security incidents or suspicious activities

3.2 Role-Based Training

  • Specialized security training must be provided based on the individual’s role and access level. For example:
    • Developers must be trained in secure coding practices and secure DevOps.
    • System administrators must understand patch management, access controls, and audit logging.

3.3 Awareness Reinforcement

  • Ongoing awareness is reinforced through periodic simulated phishing campaigns, newsletters, and security tips.
  • Topics are updated based on emerging threats and lessons learned from internal incidents or industry events.

3.4 Training Records and Audits

  • Completion of all training sessions must be logged and tracked in a centralized Learning Management System (LMS).
  • HR and the CISO jointly ensure that records are maintained for audit and compliance verification purposes.
  • Non-compliance is escalated to the employee’s manager and may result in restricted access until completion.

3.5 Acknowledgment

  • All personnel must sign an acknowledgment form confirming completion of training and acceptance of the organization’s security policies.

4. Responsibilities

RoleResponsibility
CISODefine curriculum, review training content annually
HR DepartmentTrack training completion, manage onboarding process
Department ManagersEnsure direct reports complete required training
Employees & ContractorsComplete assigned training on time

5. References

  • SOC 2 Common Criteria: CC2.2 (User Responsibilities), CC4.2 (Personnel Screening & Training), CC6.2 (Security Awareness)
  • NIST SP 800-50: Building an Information Technology Security Awareness and Training Program
  • ISO/IEC 27001: A.7.2.2 Information Security Awareness, Education, and Training

Subscribe to devsecopsbook

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe