graphgrc

PEO-02: Security Training

Objective

Build security awareness culture and reduce human-factor risks.

Description

All employees complete security awareness training upon hire and annually. Training covers phishing, password security, data handling, and incident reporting. Phishing simulations test effectiveness.

Implementation Details

Onboarding Training: New hires complete security training in first week. Covers acceptable use, data classification, password policy, phishing.

Annual Training: All employees complete annual security training. Updated for current threats. Completion tracked in LMS.

Phishing Simulations: Quarterly simulated phishing campaigns. Employees who click get remedial training. Track click rate over time.

Role-Specific: Engineers get additional training on secure coding, OWASP Top 10. Support team trained on handling customer data.

Examples

• 2024: 100% of employees completed annual security training
• Q4 2024 phishing simulation: 5% click rate (down from 15% in Q1)
• Engineering team completed secure coding training covering SQL injection, XSS
• New hire security training includes hands-on WebAuthn setup

Audit Evidence

• Security training curriculum
• Training completion reports
• Phishing simulation results
• Role-specific training records

---

Framework Mapping

SOC 2

• CC1.4 ^[Security training demonstrates commitment to attracting, developing, and retaining competent personnel]
• CC2.2 ^[Training communicates security responsibilities and expected behavior to all personnel]

GDPR

• Article 32 ^[Security awareness training is an organizational measure ensuring personnel understand data protection obligations]

---

Referenced By

This section is automatically generated by make generate-backlinks. Do not edit manually.

Processes:

• Security Training Process ^[7-step training program: new hire, annual refresher, role-specific, phishing simulations, tracking, remedial, content updates]

Policies:

• Baseline Security Policy ^[Requires onboarding training within 7 days, annual refresher, policy acknowledgment]

Charter:

• Information Security Program Charter ^[Program component: security awareness training, all employees complete training]

This site is open source. Improve this page.