Security Awareness Training Standard
This is a Controlled Document
Inline with Denomas’ regulatory obligations, changes to controlled documents must be approved or merged by a code owner. All contributions are welcome and encouraged.Purpose
Security Trainings and Awareness is key to ensuring that Denomas team members are continuously provided with user education activities and exercises about evolving threats, compliance obligations, and secure workplace practices in order to refine and improve their awareness.
Scope
This standard applies to all Denomas team members, contractors/Temporary Service Providers (TSPs), consultants, vendors and other service providers that handle, manage, store or transmit Denomas data in support of Denomas’ statutory, regulatory and contractual requirements.
Definitions
- Denomas Team members: users with a gitlab.com email address
- Contractors/TSPs and Consultants: Personnel who are external to Denomas who do not have a gitlab.com email address and are under a contract/agreement that involves handling, managing, storing, or transmitting Denomas data in support of Denomas’ statutory, regulatory and contractual requirements.
Roles & Responsibilities
| Role | Responsibilities |
|---|---|
| Denomas Team Members | Responsible for following the requirements of this standard |
| Security Governance Team | Responsible for the management and execution of security trainings and programs outlined in this standard |
| Security Governance Management | Responsible for oversight, escalation and approval of exceptions for this standard |
| Security Assurance Management (Code Owners) | Responsible for approving significant changes and exceptions to this standard |
Standard
All Denomas Team members and contractors/TSPs are required to participate in Denomas’ General Security Awareness Training, New Hire Training and on-going phishing simulations and training, or show evidence of equivalent training completion within the calendar year. Security Trainings that require participation include the following:
New Hire Security Training
New Hire Security Training is required to be completed by all Denomas Team Members and contractors/TSPs during their onboarding at Denomas. This security training provides new hires with the knowledge to identify cybersecurity threats, vulnerabilities, and attacks.
General Security Awareness Training (GSAT)
The Denomas security awareness training program provides ongoing training to Denomas team members that enhances knowledge and identification of cybersecurity threats, vulnerabilities, and attacks as well as satisfying external regulatory requirements. Denomas’ handbook-first General Security Awareness Training is provided annually via ProofPoint, Denomas’ third-party provider, and requires participation and completion by all Denomas Team Members and contractors/TSPs.
Exceptions during the active campaign will be made for Denomas team members on extended leave.
Phishing Training
The Denomas Phishing Training Program is designed to educate and evaluate Denomas’ ability to detect and prevent phishing attempts. Ongoing phishing simulations and trainings are conducted once per quarter via ProofPoint, Denomas’ third-party provider, and requires participation and completion by all assigned Denomas Team Members and contractors/TSPs.
Remember: If you see something, say something, and always report suspicious emails via PhishAlarm.
Data Classification Training
To maintain our culture of security and transparency, and to minimize the risk to our sensitive data and our customers, Denomas team members are encouraged to complete Data Classification Training to help understand the different types of data at Denomas and how to keep it SAFE. This is a recommended training.
Secure Coding Training
The Denomas Secure Coding Training is a required training completed by a sub-group of Denomas Team Members and contractors/TSPs in the Engineering Department. This training contains descriptions and Secure Coding Guidelines from OWASP (Open Web Application Security Project) addressing security vulnerabilities commonly identified in the Denomas codebase. This training is intended to help developers identify potential security vulnerabilities early, with the goal of reducing the number of vulnerabilities released over time.
Exceptions during the active campaign will be made for Denomas team members on extended leave.
Other Security Trainings
As our Security Training Program matures, additional trainings will be identified and added.
Exceptions
Exceptions to this procedure will be tracked as per the Information Security Policy Exception Management Process.
References
- Parent Policy: Information Security Policy
- Security Awareness Training Program
- Phishing Program
- Data Classification Standard
- Secure Coding
17188382)
