Security Awareness & Training Plan

Property	Value
Document ID	FW-004
Version	1.0
Status	Draft
Owner	Chief Information Security Officer (CISO)
Last Updated	2026-01-11
Next Review	2027-01-11
Related Controls	SOC 2: CC1.4, CC2.2 / ISO 27001: A.6.3

1. Purpose

This plan establishes the security awareness and training program to ensure all personnel understand their security responsibilities, recognize threats, and act in accordance with security policies.

2. Program Objectives

Build Security Culture: Foster a security-conscious mindset
Reduce Human Risk: Minimize security incidents from human error
Ensure Compliance: Meet training requirements for SOC 2/ISO 27001
Enable Reporting: Encourage security incident and concern reporting
Role-Specific Training: Provide specialized training for key roles

3. Training Requirements

3.1 Training by Audience

Audience	Training Required	Frequency	Duration
All Employees	Security Awareness Basics	Annually	30-45 min
All Employees	Phishing Awareness	Quarterly	10-15 min
New Hires	Security Onboarding	Within 7 days	60 min
Developers	Secure Coding	Annually	2 hours
IT/DevOps	Infrastructure Security	Annually	2 hours
Managers	Security Leadership	Annually	30 min
Privileged Users	Privileged Access Training	Annually	45 min
Incident Response Team	IR Training & Exercises	Annually	4 hours
Executives	Security Briefing	Quarterly	15 min

3.2 Training Matrix

Topic	All	Devs	IT/DevOps	Managers	IR Team
Security Policies Overview	✅	✅	✅	✅	✅
Phishing Recognition	✅	✅	✅	✅	✅
Password & MFA Best Practices	✅	✅	✅	✅	✅
Data Classification & Handling	✅	✅	✅	✅	✅
Incident Reporting	✅	✅	✅	✅	✅
Social Engineering	✅	✅	✅	✅	✅
Physical Security	✅	✅	✅	✅	✅
Remote Work Security	✅	✅	✅	✅	✅
OWASP Top 10		✅
Secure Code Review		✅
Cloud Security		✅	✅
Access Control Best Practices			✅
Privileged Access Management			✅		✅
Security Metrics & Reporting				✅
Incident Response Procedures			✅		✅
Evidence Handling					✅

4. Training Curriculum

4.1 Security Awareness Basics (Annual)

Module	Topics	Duration
1. Introduction	Why security matters, our responsibilities	5 min
2. Policies Overview	Key policies, where to find them	5 min
3. Phishing & Social Engineering	Recognizing attacks, reporting	10 min
4. Password & Authentication	Strong passwords, MFA, password managers	5 min
5. Data Protection	Classification, handling, sharing	5 min
6. Physical Security	Desk security, visitor policies	5 min
7. Incident Reporting	What to report, how to report	5 min
8. Quiz	Knowledge verification	5 min

4.2 New Hire Security Onboarding

Topic	Content	Duration
Welcome	Security culture, expectations	5 min
Policy Review	Key policies to acknowledge	10 min
Account Setup	MFA enrollment, password manager	10 min
Security Awareness Training	Core modules	30 min
Q&A and Resources	Where to get help	5 min

4.3 Developer Secure Coding Training

Module	Topics	Duration
1. OWASP Top 10	Common vulnerabilities	30 min
2. Secure Development Lifecycle	Security in SDLC	15 min
3. Input Validation	Preventing injection attacks	15 min
4. Authentication & Session	Secure auth patterns	15 min
5. Secrets Management	Handling credentials	15 min
6. Secure Code Review	Review techniques	15 min
7. Security Testing	SAST, DAST basics	15 min

4.4 Phishing Awareness (Quarterly)

Activity	Description
Simulated Phishing	Realistic phishing test emails
Just-in-Time Training	Training triggered by click
Metrics Review	Team performance dashboard
Tips & Updates	Current threat trends

5. Training Delivery Methods

Method	Use Cases	Tools
Online LMS	Annual training, new hire	KnowBe4, Curricula, etc.
Phishing Simulation	Quarterly phishing tests	KnowBe4, Cofense, etc.
Live Sessions	Specialized training, Q&A	Zoom, in-person
Lunch & Learns	Informal topics, updates	Monthly
Email Updates	Threat alerts, tips	Security newsletter
Tabletop Exercises	Incident response training	Annual
Capture the Flag	Developer security skills	Annual (optional)

6. Training Calendar

6.1 2026 Training Schedule

Month	Activity	Audience	Owner
January	Annual Security Awareness Launch	All	Security
February	Q1 Phishing Simulation	All	Security
March	Secure Coding Training	Developers	Security
April	Security Lunch & Learn	All	Security
May	Q2 Phishing Simulation	All	Security
June	IR Tabletop Exercise	IR Team	Security
July	Cloud Security Training	IT/DevOps	Security
August	Q3 Phishing Simulation	All	Security
September	Security Lunch & Learn	All	Security
October	Security Awareness Month	All	Security
November	Q4 Phishing Simulation	All	Security
December	Year-End Review & Metrics	Managers	Security

7. Phishing Simulation Program

7.1 Program Structure

Element	Description
Frequency	Quarterly (4x per year)
Difficulty	Progressive (easy → medium → hard)
Templates	Realistic, varied scenarios
Reporting	Report button training
Consequences	Training-focused (not punitive)

7.2 Phishing Metrics

Metric	Target	Baseline
Click rate	<5%	TBD
Report rate	>60%	TBD
Training completion	100%	N/A
Repeat offenders	<2%	TBD

7.3 Click Response

Occurrence	Action
First click	Just-in-time training (immediate)
Second click (within 12 months)	Training + manager notification
Third click (within 12 months)	Training + HR review

8. Measuring Effectiveness

8.1 Training Metrics

Metric	Target	Frequency
Training completion rate	100%	Monthly
New hire training (within 7 days)	100%	Monthly
Quiz pass rate	>85%	Per training
Phishing click rate	<5%	Quarterly
Phishing report rate	>60%	Quarterly
Security incidents from human error	Decreasing	Quarterly

8.2 Reporting

Report	Audience	Frequency
Training Dashboard	Security Team	Weekly
Completion Report	Managers	Monthly
Phishing Results	Executive Team	Quarterly
Annual Training Summary	Board/Audit	Annually

9. Training Records

9.1 Record Requirements

Record	Retention	Location
Training completion	3 years	LMS
Quiz scores	3 years	LMS
Phishing results	1 year	Phishing platform
Policy acknowledgements	Duration + 1 year	HR/LMS
Attendance (live sessions)	3 years	Sign-in sheets/LMS

9.2 Audit Evidence

For SOC 2/ISO 27001 audits:

Training completion reports by employee
Phishing simulation results
Training content and curriculum
New hire training timelines
Policy acknowledgement records

10. Roles and Responsibilities

Role	Responsibilities
CISO	Program oversight, executive reporting
Security Team	Develop content, conduct training, measure results
HR	Integrate with onboarding, track completion
Managers	Ensure team completion, reinforce training
Employees	Complete training, apply learning, report issues

11. Implementation Checklist

Program Setup

Select LMS and phishing simulation platform
Develop training content/select vendor courses
Integrate training with HR onboarding
Configure completion tracking
Set up reporting dashboards

Ongoing Operations

Launch annual training campaign
Conduct quarterly phishing simulations
Send monthly security tips
Track and report metrics
Update content based on threats

12. Evidence Requirements

Evidence Type	Description	Location	Retention
Training Completion Reports	Per-employee completion	LMS	3 years
Phishing Campaign Results	Quarterly results	Phishing platform	1 year
Training Content	Course materials	LMS/documentation	Current
Policy Acknowledgements	Signed acknowledgements	HR system	Duration + 1 year
Program Metrics	Dashboards and reports	Security reporting	1 year

13. Related Documents

14. Version History

Version	Date	Author	Changes
1.0	2026-01-11	Security Team	Initial release

This document is classified as INTERNAL. Unauthorized distribution is prohibited.