Skip to main content
AC

Acme Cloud

EthicPages logoVisit EthicPages

Employee Security Training

Last updated: January 15, 2026

Security Awareness Training Policy

Document owner: Chief Information Security Officer (CISO) Version: 3.0 Effective date: January 1, 2026 Last updated: January 15, 2026 Classification: Public — Trust Center Review cadence: Annual review; updates for emerging threats Company: Acme Cloud, Inc. Address: 1200 Market Street, Suite 400, San Francisco, CA 94103, USA Primary contacts: trust@acmecloud.com | security@acmecloud.com | privacy@acmecloud.com

Definitions and Key Terms

TermDefinition
Security AwarenessThe knowledge and attitude members of an organization possess regarding the protection of physical and information assets
PhishingA type of social engineering attack using fraudulent communications to deceive recipients into revealing sensitive information
Social EngineeringPsychological manipulation techniques used to trick people into making security mistakes or giving away sensitive information
Spear PhishingTargeted phishing attacks directed at specific individuals or organizations using personalized information
Business Email Compromise (BEC)A type of scam targeting organizations that conduct wire transfers, using compromised business email accounts
MalwareMalicious software designed to damage, disrupt, or gain unauthorized access to computer systems
RansomwareMalware that encrypts files and demands payment for decryption
Multi-Factor Authentication (MFA)A security mechanism requiring two or more verification factors to gain access
Password ManagerSoftware that securely stores and manages passwords
Clean Desk PolicyRequirements for securing sensitive information when leaving a workstation unattended
Data ClassificationThe process of categorizing data based on its sensitivity and the impact of unauthorized disclosure
Privileged AccessElevated system access rights that allow administrative functions
Insider ThreatSecurity risks that originate from within the organization, whether intentional or accidental
IncidentA security event that has been identified and requires investigation or response
Compliance TrainingTraining required to meet regulatory or contractual obligations
Learning Management System (LMS)Software application for administering, tracking, and delivering training courses
Security ChampionA development team member with additional security responsibilities
Tabletop ExerciseA discussion-based exercise where participants review and discuss responses to scenarios
Phishing SimulationControlled test phishing campaigns to assess and train employee awareness
Security CultureThe collective attitudes, behaviors, and practices regarding security within an organization

Scope and Purpose

This Security Awareness Training Policy establishes Acme Cloud, Inc.'s requirements for educating all personnel on information security risks, responsibilities, and best practices. The policy scope encompasses all employees, contractors, temporary workers, and third parties with access to Acme Cloud systems, data, or facilities. The purpose is to create a strong security culture where every individual understands their role in protecting the organization's assets, reducing human-related security risks, meeting compliance requirements, and supporting the overall security program.

Training Program Objectives

ObjectiveDescriptionMeasurement
Risk ReductionReduce human-caused security incidentsIncident metrics
ComplianceMeet regulatory and certification requirementsAudit results
Culture BuildingFoster security-conscious behaviorSurvey results
Skill DevelopmentBuild security knowledge and skillsAssessment scores
Threat AwarenessKeep personnel informed of current threatsTraining currency
EmpowermentEnable employees to identify and report threatsReporting rates

Applicability Matrix

Personnel CategoryGeneral TrainingRole-Based TrainingPhishing SimulationsCompliance Training
Full-Time EmployeesRequiredPer roleRequiredPer role
Part-Time EmployeesRequiredPer roleRequiredPer role
Contractors (onsite)RequiredPer roleRequiredPer role
Contractors (remote)RequiredPer roleRequiredPer role
Temporary WorkersRequiredPer roleOptionalPer role
Executive LeadershipRequiredRequiredRequiredRequired
Board MembersOverviewN/AN/AN/A

Training Program Structure

Training Curriculum Overview

Training CategoryAudienceDurationFrequencyDelivery
Security FundamentalsAll personnel60 minutesAnnualLMS
New Hire Security OrientationNew employees45 minutesOnboardingLMS + live
Phishing AwarenessAll personnel20 minutesAnnualLMS
Password and AuthenticationAll personnel15 minutesAnnualLMS
Data Protection and PrivacyAll personnel30 minutesAnnualLMS
Social Engineering DefenseAll personnel25 minutesAnnualLMS
Physical SecurityAll personnel15 minutesAnnualLMS
Incident ReportingAll personnel15 minutesAnnualLMS
Remote Work SecurityRemote workers20 minutesAnnualLMS
Code of ConductAll personnel30 minutesAnnualLMS

Role-Based Training Matrix

RoleRequired Training ModulesAdditional Requirements
All EmployeesSecurity Fundamentals; Phishing; Data Protection; Code of ConductMonthly awareness communications
Engineering/Development+ Secure Coding; OWASP Top 10; API SecuritySecurity Champion optional
SRE/DevOps+ Infrastructure Security; Cloud Security; Incident ResponseIncident response exercises
Customer Support+ Customer Data Handling; Social Engineering; Ticket SecurityData protection focus
Sales/Marketing+ Data Protection; Email Security; Travel SecurityMobile device security
Finance+ Financial Fraud; Wire Transfer Security; Vendor VerificationBEC awareness
HR/People+ Privacy Training; Employee Data Protection; Background ChecksPII handling
Legal/Compliance+ Privacy Regulations; Data Breach Response; Compliance RequirementsRegulatory updates
Executives+ Executive Targeting; BEC; Crisis Management; Board ReportingExecutive tabletop
IT/Security+ Advanced Security Topics; Incident Response; Forensics AwarenessContinuous professional development
Privileged Access Users+ Privileged Access Management; Elevated Responsibility; Access ReviewQuarterly refresher

Training Schedule

TrainingQ1Q2Q3Q4Notes
Security FundamentalsAnnual renewal
Phishing AwarenessAnnual renewal
Data ProtectionAnnual renewal
Social EngineeringAnnual renewal
New Hire OrientationOngoingOngoingOngoingOngoingWithin 5 days
Phishing SimulationsMonthly
Tabletop ExercisesSemi-annual
Security Champion TrainingBi-annual
Executive BriefingQuarterly

Core Training Modules

Security Fundamentals (Annual)

TopicContentDurationAssessment
Security OverviewAcme Cloud security program; policies; your role10 minQuiz
Threat LandscapeCurrent threats; attack vectors; real-world examples10 minQuiz
Password SecurityStrong passwords; password managers; MFA10 minQuiz
Phishing AwarenessRecognizing phishing; reporting; response10 minQuiz
Data ProtectionClassification; handling; storage; sharing10 minQuiz
Physical SecurityClean desk; badge; visitor management5 minQuiz
Incident ReportingWhen and how to report security concerns5 minQuiz

Phishing Awareness Module

TopicContentSkills Developed
What is PhishingDefinition; types; attacker objectivesRecognition
Email Red FlagsSuspicious indicators in phishing emailsAnalysis
URL AnalysisChecking link destinations; hover techniquesVerification
Attachment SafetySafe handling of attachments; file typesCaution
Reporting PhishingUsing the report button; forwarding to securityAction
Mobile PhishingSMS phishing (smishing); mobile emailAwareness
Voice PhishingPhone-based social engineering (vishing)Recognition
Spear PhishingTargeted attacks; personalizationAwareness

Data Protection Module

TopicContentSkills Developed
Data ClassificationLevels; examples; marking requirementsClassification
Handling RequirementsPer-level handling proceduresApplication
Customer DataSpecial requirements for customer dataResponsibility
PII ProtectionPersonal data identification and protectionCompliance
Data SharingSecure sharing methods; external transferSecure practices
Storage SecurityApproved storage locations; encryptionCompliance
Data RetentionRetention periods; disposal requirementsLifecycle
Breach PreventionCommon causes; prevention measuresPrevention

Social Engineering Defense

TopicContentSkills Developed
Social Engineering TacticsPretexting; baiting; quid pro quoRecognition
Authority AttacksImpersonation of executives or authoritiesSkepticism
Urgency ManipulationCreating false urgency to bypass judgmentPause and verify
Information GatheringHow attackers research targetsOPSEC
Verification ProceduresCallback procedures; out-of-band verificationVerification
BEC PreventionWire transfer verification; approval workflowsProcess
Physical Social EngineeringTailgating; impersonation; shoulder surfingAwareness
Case StudiesReal attack examples and lessons learnedApplication

Phishing Simulation Program

Program Overview

ElementDescriptionFrequency
Simulation CampaignsControlled phishing tests to all employeesMonthly
Campaign VarietyDifferent scenarios, difficulty levels, vectorsRotating
Immediate FeedbackJust-in-time training upon clickingAutomatic
Reporting IncentivesRecognition for correct reportingOngoing
Metrics TrackingClick rates, report rates, improvement trendsMonthly
Remediation TrainingAdditional training for repeat clickersPer threshold

Simulation Scenarios

Scenario TypeDifficultyExamplesFrequency
Generic PhishingLowPrize winning; package delivery; account verificationMonthly
Corporate ImpersonationMediumIT department; HR benefits; payroll updatesMonthly
Vendor ImpersonationMediumAWS alerts; Slack notifications; SaaS renewalsQuarterly
Spear PhishingHighExecutive requests; personalized contentQuarterly
Credential HarvestMediumLogin page clones; SSO impersonationMonthly
Attachment-BasedMediumInvoice attachments; document sharingQuarterly
SMS PhishingMediumAccount verification; package trackingQuarterly

Simulation Metrics

MetricDefinitionTargetFY2025 Actual
Click RatePercentage clicking phishing links<5%4.2%
Report RatePercentage correctly reporting phishing>40%47%
Credential Submission RatePercentage entering credentials<2%1.1%
Repeat Clicker RatePercentage clicking multiple campaigns<3%2.4%
Time to First ReportTime until first employee reports<5 min3.2 min

Remediation Process

Click CountRemediation ActionTimelineTracking
First clickImmediate training module (5 min)AutomaticLMS
Second clickExtended training module (15 min)Within 48 hoursLMS + manager notification
Third clickManager conversation + trainingWithin 1 weekHR involvement
Fourth clickCISO meeting + performance impactWithin 2 weeksFormal documentation
Credential submissionImmediate password change + trainingImmediateSecurity team

Specialized Training Programs

Secure Coding Training (Engineering)

ModuleContentDurationFrequency
OWASP Top 10Current top web application security risks120 minAnnual
Secure Coding FundamentalsInput validation; output encoding; authentication180 minAnnual
API SecurityREST/GraphQL security; authentication; rate limiting90 minAnnual
Dependency SecuritySCA; vulnerability management; updates60 minAnnual
Secrets ManagementProper handling of credentials and keys45 minAnnual
Security TestingSAST/DAST tools; penetration testing basics90 minAnnual

Privileged Access Training

ModuleContentDurationAudience
Elevated ResponsibilityRisks and responsibilities of privileged access30 minAll privileged users
Access ManagementRequesting, using, and releasing privileged access20 minAll privileged users
Monitoring and AuditActivity logging and review expectations15 minAll privileged users
Insider Threat AwarenessIndicators; reporting; prevention20 minAll privileged users
Emergency AccessBreak-glass procedures; documentation15 minOn-call personnel

Incident Response Training

Training TypeAudienceDurationFrequency
Incident ReportingAll employees15 minAnnual
Incident Response OverviewSecurity + SRE60 minAnnual
IR Tabletop ExerciseIR team120 minSemi-annual
Technical IR ProceduresSecurity team180 minAnnual
Customer CommunicationCS + Legal + Comms90 minAnnual
Executive Crisis ManagementLeadership90 minAnnual

Privacy and Compliance Training

ModuleAudienceContentDuration
GDPR FundamentalsAll employeesGDPR principles; rights; obligations45 min
CCPA/CPRA OverviewAll employeesCalifornia privacy requirements30 min
HIPAA BasicsApplicable rolesPHI protection requirements45 min
Data Subject RightsCS + PrivacyHandling DSRs; SLAs; procedures30 min
Privacy by DesignEngineeringBuilding privacy into products60 min
Vendor PrivacyProcurementVendor privacy assessment30 min

Training Delivery Methods

Delivery Channels

ChannelUse CasesBenefitsLimitations
LMS (Online)Formal courses; compliance trainingScalable; trackable; self-pacedLimited interaction
Live VirtualNew hire orientation; tabletop exercisesInteractive; Q&A possibleScheduling complexity
In-PersonSpecialized workshops; incident simulationsHigh engagementResource intensive
EmailMonthly awareness tips; threat alertsBroad reach; timelyLimited engagement
SlackQuick tips; reminders; reportingReal-time; convenientInformation overload risk
Posters/SignageVisual reminders; clean deskAmbient awarenessLimited detail
NewsletterMonthly security digest; storiesComprehensive updatesMay be skipped
GamificationQuizzes; competitions; badgesEngaging; memorableNot all topics suitable

LMS Platform Requirements

RequirementDescriptionImplementation
Course ManagementCreate, assign, track training coursesLMS platform
Automated AssignmentRole-based automatic enrollmentIntegration with HRIS
Progress TrackingMonitor completion statusDashboard + reports
AssessmentQuizzes with passing thresholdBuilt-in assessments
CertificatesCompletion certificatesAutomated generation
RemindersAutomated overdue notificationsEmail + Slack integration
ReportingCompliance reports; metrics dashboardsExport + analytics
SSO IntegrationSingle sign-on accessIdentity provider integration

Content Development Standards

StandardDescriptionApplication
Adult Learning PrinciplesPractical, relevant, self-directed contentAll modules
MicrolearningShort, focused segments (5-15 min)Most modules
MultimediaVideo, audio, interactive elementsEnhanced engagement
Real ExamplesAcme Cloud-relevant scenariosContextualization
Regular UpdatesAnnual content review; emerging threat updatesCurrency
AccessibilityWCAG 2.1 AA complianceAll content
AssessmentKnowledge checks with 80% passing thresholdAll formal training

Compliance and Tracking

Compliance Requirements

Requirement SourceTraining RequiredFrequencyEvidence
SOC 2Security awareness trainingAnnualCompletion records
ISO 27001Information security awarenessAnnualCompletion records
GDPRData protection trainingAnnualCompletion records
HIPAA (if applicable)Privacy and security trainingAnnualCompletion records
CCPA/CPRAPrivacy trainingAnnualCompletion records
Company PolicyCode of Conduct; security policiesAnnualSigned acknowledgment

Tracking and Reporting

MetricDefinitionTargetReporting Frequency
Overall Completion RateCompleted / Required>98%Monthly
On-Time CompletionCompleted within deadline>95%Monthly
Assessment Pass RateFirst-attempt pass rate>90%Monthly
Role-Based CompletionBy department/role100%Quarterly
Training HoursTotal training hours deliveredQuarterly
Feedback ScoresTraining satisfaction ratings>4.0/5.0Per course

FY2025 Training Completion Metrics

Training CategoryRequiredCompletedCompletion RateTarget
Security Fundamentals34033698.8%100%
Phishing Awareness34033498.2%100%
Data Protection34033899.4%100%
Code of Conduct340340100%100%
New Hire Security4848100%100%
Secure Coding (Engineering)858498.8%100%
Privileged Access3434100%100%
Privacy/GDPR34033297.6%100%

Non-Compliance Escalation

Days OverdueActionResponsible Party
0-7 daysAutomated LMS remindersSystem
8-14 daysManager notificationLMS + Security team
15-21 daysDirector escalationSecurity team
22-30 daysVP/CISO notificationSecurity team
>30 daysAccess restriction considerationCISO + HR

Security Awareness Communications

Regular Communications

CommunicationAudienceFrequencyChannelContent
Security Tip of the WeekAllWeeklySlackShort security tips
Monthly NewsletterAllMonthlyEmailSecurity digest
Threat AlertsAllAs neededEmail + SlackCurrent threat warnings
Policy UpdatesAllAs neededEmailPolicy changes
Phishing AlertsAllAs neededSlackConfirmed phishing notices
Security Champion UpdateChampionsBi-weeklyMeeting + EmailSecurity updates
Executive Security BriefLeadershipQuarterlyMeetingRisk and metrics

Awareness Campaign Calendar

MonthThemeActivities
JanuaryNew Year Security ResetPassword changes; MFA audit
FebruaryData Privacy DayPrivacy training emphasis
MarchPhishing AwarenessIncreased simulations
AprilPhysical SecurityClean desk reminders
MayIdentity ProtectionMFA; password managers
JuneTravel SecurityPre-travel tips
JulySocial EngineeringAwareness scenarios
AugustBack-to-School SecurityFamily cyber safety
SeptemberInsider ThreatReporting awareness
OctoberCybersecurity Awareness MonthFull campaign
NovemberGratitude for ReportingReporter recognition
DecemberHoliday SecurityShopping safety; travel

Recognition and Gamification

Recognition TypeCriteriaReward
Phishing ReporterCorrectly reports simulated phishingPublic recognition
Early ReporterFirst to report real phishingRecognition + swag
Security ChampionConsistent security advocacyAnnual award
Training Champion100% on-time completionRecognition
Department ExcellenceHighest department completion rateTeam recognition

Numbered Policy Statements

  1. Universal Participation: All Acme Cloud, Inc. personnel including employees, contractors, and third parties with system access must complete assigned security awareness training.

  2. Onboarding Requirement: New personnel must complete security orientation training within five business days of starting work.

  3. Annual Refresh: Security fundamentals training must be completed annually by all personnel, with completion required by the anniversary of the previous training.

  4. Role-Based Training: Personnel must complete role-specific security training appropriate to their job function and access levels.

  5. Completion Tracking: All training completion must be documented in the Learning Management System with records retained for audit purposes.

  6. Passing Threshold: Formal training modules require 80% or higher assessment scores to demonstrate comprehension.

  7. Phishing Simulation Participation: All personnel must participate in phishing simulation programs as part of ongoing security awareness.

  8. Remediation Requirement: Personnel who fail phishing simulations or assessments must complete additional remediation training as assigned.

  9. Privileged User Training: Personnel with privileged access must complete additional training on elevated responsibilities and risks.

  10. Executive Training: Executive leadership must participate in security briefings and crisis management exercises.

  11. Training Currency: Training must be refreshed when significant changes occur in threats, technology, or policy.

  12. Non-Compliance Consequences: Failure to complete required training may result in access restrictions and management escalation.

  13. Feedback Integration: Training programs shall incorporate participant feedback and lessons from incidents for continuous improvement.

  14. Metrics Reporting: Training completion and effectiveness metrics shall be reported to leadership quarterly and to the Board annually.

Framework Appendix

Compliance Mapping

RequirementSOC 2 CriteriaISO 27001 ControlNIST CSFImplementation
Security awarenessCC1.4A.7.2.2PR.AT-1Training program
Security trainingCC1.4A.7.2.2PR.AT-1Role-based modules
Personnel accountabilityCC1.5A.7.2.1PR.AT-1Policy acknowledgment
Training effectivenessCC1.4A.7.2.2PR.AT-5Assessment; metrics
Threat awarenessCC3.3A.6.1.1PR.AT-1Communications

NIST SP 800-50 Alignment

NIST GuidancePolicy Implementation
Awareness programOngoing communications; tips; alerts
Training programLMS-based formal training
Education programSecurity Champion; specialized training
Program evaluationMetrics; simulations; feedback
Continuous improvementAnnual review; incident integration

Training Effectiveness Measurement

LevelMeasurementMethodFrequency
ReactionSatisfaction with trainingPost-training surveysPer course
LearningKnowledge acquisitionAssessment scoresPer course
BehaviorApplication of knowledgePhishing simulation resultsMonthly
ResultsBusiness impactIncident metrics; audit findingsQuarterly

Related Trust Center documents

security overview, code of conduct, access control, incident response, privacy policy, sdlc policy, data retention

Document revision history

VersionDateAuthorSummary of changes
1.02024-06-01Legal & ComplianceInitial Trust Center publication
2.02025-03-15GRC ProgramSOC 2 Type II alignment refresh; expanded subprocessors
2.52025-09-01Security EngineeringEncryption standards update; ISO 27001 mapping
3.02026-01-15Trust Center ProgramFull procurement-grade expansion; 34-document set

Contact

Acme Cloud, Inc. 1200 Market Street, Suite 400 San Francisco, CA 94103, USA

ChannelEmailUse case
Trust & procurementtrust@acmecloud.comSecurity questionnaires, trust reviews
Securitysecurity@acmecloud.comIncidents, vulnerabilities, control questions
Privacyprivacy@acmecloud.comDSRs, privacy assessments
Legallegal@acmecloud.comContractual, DPA, legal notices

Training Program Contacts

ContactRoleUse Case
security-training@acmecloud.comTraining TeamTraining questions; completion issues
security@acmecloud.comSecurity TeamSecurity questions; incident reporting
HR helpdeskPeople TeamLMS access issues
CISOSecurity ExecutiveProgram feedback; exceptions

Appendix: Training Calendar FY2026

TrainingQ1Q2Q3Q4Audience
Security FundamentalsAll
Phishing AwarenessAll
Data Protection/PrivacyAll
Social EngineeringAll
Secure CodingEngineering
Incident Response ExerciseIR team
Executive TabletopLeadership
Phishing SimulationsAll (monthly)
Security Champion TrainingChampions

Document Version: 3.0 Last Updated: January 15, 2026

Last updated: January 15, 2026
EthicPages logoEthicPages