This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
wiki:policies:security_training [2021/12/16 04:10] katcow |
wiki:policies:security_training [2024/04/12 17:15] (current) kholub |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Security Awareness Training ====== | + | ====== Security Awareness Training |
===== I. Purpose ===== | ===== I. Purpose ===== | ||
+ | |||
Nested Knowledge has a responsibility to educate our personnel on security practices and to comply with federal regulations related to Information Security awareness. This policy describes our plan to educate users on the importance of security. | Nested Knowledge has a responsibility to educate our personnel on security practices and to comply with federal regulations related to Information Security awareness. This policy describes our plan to educate users on the importance of security. | ||
===== II. Scope ===== | ===== II. Scope ===== | ||
+ | |||
This policy affects all employees, contractors, | This policy affects all employees, contractors, | ||
- | ===== III. Policy ===== | + | ===== III. Security Awareness Training |
- | Nested Knowledge distributes security policies to all employees and contractors as part of their training. When policies are updated, we ensure that all employees have ready access to the most recent version. All employees with roles in incident response, data protection, or data recovery must sign off on the corresponding policy. We require all remote employees to review the remote access policy. | + | |
- | ===== IV. Enforcement ===== | + | Nested Knowledge distributes security policies to all employees and contractors as part of their training. Training includes a quiz on the content of each policy. Training is conducted annually, for all policies relevant to an employees job duties. |
- | Employees who fail to review and comply with our information security policies, including the access control and incident management policy, will be issued a warning and required to demonstrate comprehension of security rules and procedures. Continued failure may result in disciplinary action. | + | |
+ | When policies are updated, we ensure that all employees have ready access to the most recent version. All employees with roles in incident response, data protection, or data recovery must sign off on the corresponding policy. We require all remote employees to review the remote access policy. | ||
+ | |||
+ | ^Training^Delivered to| | ||
+ | |Acceptable Use of IT Resources|All| | ||
+ | |Incident Response|Incident Response Team| | ||
+ | |Cloud Security|Development Team| | ||
+ | |Information Security|All| | ||
+ | |Wireless Connection|All| | ||
+ | |Secure Development|Development Team| | ||
+ | |Disaster Recovery |Executive Team| | ||
+ | |Security Awareness|All| | ||
+ | |GDPR Compliance|All| | ||
+ | |Remote Access|All| | ||
+ | |||
+ | ==== Developer Training ==== | ||
+ | |||
+ | Developers are expected to be familiar with common vulnerabilities in web applications, | ||
+ | |||
+ | * All developers perform an annual review of the [[https:// | ||
+ | * Each developer annually completes a randomly selected test from the [[https:// | ||
+ | * Scenarios will be selected and assigned by the Technical Lead using our issue management software | ||
+ | * Each scenario includes a description of the threat, and testing methods. The developer inventories surface area, and performs a test/ | ||
+ | * The developer writes up their approach & findings in the issue, which is then reviewed by the technical lead. | ||
+ | * Any developer introducing a vulnerability identified in code review or later is expected to: | ||
+ | * Study the corresponding [[https:// | ||
+ | * Demonstrate understanding of the threat to the technical lead, with regards to both the code instance and the general threat model. | ||
+ | * With the technical lead, perform a review of relevant code examples in the code base and explain the mitigations used. | ||
+ | * [[https:// | ||
+ | |||
+ | ===== IV. Data Protection Training Policy ===== | ||
+ | |||
+ | Employee training requirements are based on the [[https:// | ||
+ | |||
+ | ===== Enforcement ===== | ||
+ | |||
+ | Employees who fail to review and comply with our information security policies, including the access control and incident management policy, will be issued a warning and required to demonstrate comprehension of security rules and procedures. Continued failure may result in disciplinary action. | ||
===== Revision History ===== | ===== Revision History ===== | ||
^Author^Date of Revision/ | ^Author^Date of Revision/ | ||
- | |K. Cowie|12/ | + | |K. Cowie|12/ |
- | |K. Holub| | | | + | |K. Holub|4/12/2024|Adding listing of all current policies| |
- | |K. Kallmes| || | + | |
+ | [[: | ||