Security Training and Awareness

At your organization we take product security very seriously. your organization practices include designing for both security and privacy, in product software, IT applications, and cloud services.

We have rigorous software security policies and processes designed to proactively find and remove software security defects such as security vulnerabilities.

your organization products, IT applications, and cloud services must not only fulfill the stated function to help protect your organization customers, the your organization software itself must also aim to protect itself from vulnerabilities and attackers. your organization strives to build software that demonstrates resilience against attacks.

Developers are expected to pursue ongoing developer education. Self-training is encouraged.

• your organization requires new employees to take a security awareness training within 30 days of joining;
• your organization requires existing employees to take security awareness training annually;
• your organization requires existing employees to take security awareness training within 30 days in case of a major change in the company's infrastructure or systems.

When necessary, the information security program must provide or coordinate training for individuals whose job functions require special knowledge of security threats, vulnerabilities, and safeguards. This training must focus on expanding knowledge, skills, and abilities for individuals who are assigned information security responsibilities. To begin training, the employee must make an official request (email) to the CISO.

IT professionals with cloud or security skills are in high demand and certifications can help make you even more hirable by validating your cloud skills and expertise. At the same time, cloud certifications help your organization become more trustworthy and powerful.

your organization covers costs to acquire training and certifications, including but not limited to:

• Google Certified Professional Cloud Architect
• Google Certified Professional Data Engineer
• AWS Certified Solutions Architect – Associate
• AWS Certified SysOps Administrator
• AWS Certified Developer – Associate
• Microsoft Certified: Microsoft Azure Fundamentals
• Microsoft Certified: Azure Administrator Associate
• Microsoft Certified: Azure Solutions Architect Expert
• Certified Cloud Security Professional (CCSP)
• CompTIA Cloud+

One of the goals of a robust security-training program is to raise awareness and understanding of cyber threats with staff. However, to motivate change it is often necessary to not just punish negative behavior but to reward positive behavior. A reward system in place for employees that follow procedures and complete testing according to the training roadmap will engage staff in the success of security. Rewards should also be provided for reporting security issues and concerns to keep lines of communication open.

your organization promotes on-going information security awareness via:

• Regular articles published in corporate newsletters;
• Information security bulletins distributed to all employees to address security policy modifications, security alerts, and other urgent security issues;
• Optional: distribution of employee manuals to all employees requiring annual sign-off of agreement and compliance.

A common mistake made in security awareness training is simply using the same simulation techniques at the same time intervals. To get a real understanding of security preparedness, conduct simulations at random times. Try not to always give any advanced warning of the simulation. Companies can gain actionable data on the success of their training through careful scheduling and comprehensive analysis. More info in the Incident Response Policy