Nested Knowledge

Bringing Systematic Review to Life

User Tools

Site Tools

Trace:
wiki:policies:security_training

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Last revision Both sides next revision
wiki:policies:security_training [2022/01/11 18:53]
kholub 		wiki:policies:security_training [2023/09/28 21:07]
kholub
Line 11: Line 11:
 ===== III. Security Awareness Training Policy ===== ===== III. Security Awareness Training Policy =====
  
-Nested Knowledge distributes security policies to all employees and contractors as part of their training. When policies are updated, we ensure that all employees have ready access to the most recent version. All employees with roles in incident response, data protection, or data recovery must sign off on the corresponding policy. We require all remote employees to review the remote access policy.+Nested Knowledge distributes security policies to all employees and contractors as part of their training. Training includes a quiz on the content of each policy. Training is conducted annually, for all policies relevant to an employees job duties. 
 + 
 +When policies are updated, we ensure that all employees have ready access to the most recent version. All employees with roles in incident response, data protection, or data recovery must sign off on the corresponding policy. We require all remote employees to review the remote access policy.
  
 ==== Developer Training ==== ==== Developer Training ====
Line 17: Line 19:
 Developers are expected to be familiar with common vulnerabilities in web applications, how to detect them, and how to mitigate them. To standardize this expectation, [[https://owasp.org/|OWASP]] modules & guidelines are trained. Specifically: Developers are expected to be familiar with common vulnerabilities in web applications, how to detect them, and how to mitigate them. To standardize this expectation, [[https://owasp.org/|OWASP]] modules & guidelines are trained. Specifically:
  
-  * All developers perform an annual review of the [[https://owasp.org/www-project-top-ten/|OWASP Top 10]]and communicate +  * All developers perform an annual review of the [[https://owasp.org/www-project-top-ten/|OWASP Top 10]] and pass a practical quiz relating to vulnerabilities within. 
-  * Each developer annually completes a randomly selected scenario from the [[https://owasp.org/www-project-web-security-testing-guide/v42/2-Introduction/|OWASP Web Security Testing Guidelines (WSTG)]] on the Nested Knowledge software+  * Each developer annually completes a randomly selected test from the [[https://owasp.org/www-project-web-security-testing-guide/v42/2-Introduction/|OWASP Web Security Testing Guidelines (WSTG)]] on the Nested Knowledge software
       * Scenarios will be selected and assigned by the Technical Lead using our issue management software       * Scenarios will be selected and assigned by the Technical Lead using our issue management software
       * Each scenario includes a description of the threat, and testing methods. The developer inventories surface area, and performs a test/penetration in a development environment, as applicable.       * Each scenario includes a description of the threat, and testing methods. The developer inventories surface area, and performs a test/penetration in a development environment, as applicable.
Line 40: Line 42:
 ^Author^Date of Revision/Review^Comments| ^Author^Date of Revision/Review^Comments|
 |K. Cowie|12/15/2021| | |K. Cowie|12/15/2021| |
 +|K. Holub|1/25/2023|Updated Dev Security Training Practices|
 +
 +[[:wiki:policies|Return to Policies]]
  
  
wiki/policies/security_training.txt · Last modified: 2024/04/12 17:15 by kholub

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki