Skip to content

Information Security Training Policy

Classification: Internal
Document status: Effective
Version: 1.0
Owner: Management / Security Owner
Effective date: 2026-05-13
Review cycle: Annual; interim revision upon material change to threats, tooling, or regulatory expectations

Purpose

This policy establishes the requirement for information security awareness training for personnel who perform company or customer work.

Scope

This policy applies to employees, contractors, subcontractors, developers, QA personnel, and others who access company or customer systems, repositories, data, or credentials in the course of their duties.

Policy

Personnel assigned to customer work complete information security awareness training at onboarding and at least once per calendar year thereafter. Delivery may use internal presentations, recorded sessions, an approved learning platform, or equivalent documented material.

Training content

Training addresses at minimum:

  • Phishing and social engineering awareness
  • Password and multi-factor authentication hygiene
  • Handling of customer confidential and regulated categories of data
  • Secure use of repositories, branches, and pull requests
  • Endpoint security expectations under the Endpoint Security Policy
  • Security incident reporting
  • Customer access boundaries and need-to-know

Records

The organization retains training material (or version reference) and completion records: participant identifier, completion date, and material version.

Exceptions

Exceptions require management approval, a defined end date, and compensating controls where applicable. Personnel with overdue mandatory training do not receive new customer system or repository access until current.