Security Awareness & Training Policy

Overview

InContext Solutions is committed to building and maintaining a security-conscious culture across the organization. The Security Awareness and Training Policy establishes a comprehensive program designed to educate all personnel on cybersecurity risks, responsibilities, and best practices. By equipping employees with the knowledge and skills necessary to recognize and respond to threats, we reduce the likelihood of security incidents caused by human error and strengthen our overall security posture.

This program is a cornerstone of InContext Solutions' defense-in-depth strategy, complementing technical controls with informed and vigilant personnel who serve as the first line of defense against evolving cyber threats.

Scope

This policy applies to all individuals who have access to InContext Solutions systems, networks, data, or facilities, including:

• Full-time and part-time employees
• Contractors and consultants
• Temporary and seasonal workers
• Third-party personnel with access to InContext Solutions systems or data
• Interns and volunteers

All personnel within scope are required to participate in security awareness activities and complete mandatory training as outlined in this policy.

New Hire Training

All new personnel must complete security orientation training within their first week of employment or engagement. Security training is a prerequisite for receiving access to InContext Solutions systems and data.

New hire security orientation covers the following topics:

1. Acceptable Use -- Proper use of company systems, devices, and network resources in accordance with the Acceptable Use Policy.
2. Password Security -- Password creation requirements, multi-factor authentication, and credential management best practices.
3. Phishing Awareness -- How to identify phishing emails, suspicious links, and social engineering tactics.
4. Data Handling -- Proper classification, storage, transmission, and disposal of company and client data in accordance with the Data Protection Policy.
5. Incident Reporting -- How to recognize and report potential security incidents, per the Security Incident Response Policy.
6. Physical Security -- Workstation locking, badge access, visitor policies, and clean desk practices.
7. Remote Work Security -- VPN usage, secure Wi-Fi practices, and safeguarding devices outside the office.

New personnel must formally acknowledge that they have read, understood, and agree to comply with all applicable security policies before system access is provisioned.

Annual Security Training

All personnel are required to complete mandatory annual security refresher training to maintain awareness of current threats and reinforce security best practices.

Annual training requirements include:

• Mandatory participation for all personnel within scope, regardless of role or tenure.
• Updated content reflecting the current threat landscape, recent incidents, and emerging attack vectors.
• Core topics refreshed each year: phishing and social engineering, data protection, password hygiene, incident reporting, and regulatory compliance.
• Supplemental modules added based on organizational priorities, audit findings, or changes in regulatory requirements.
• Completion tracking through the learning management system (LMS), with reports provided to department heads and senior leadership.
• Assessment component to verify comprehension, with a minimum passing score required.

Phishing Awareness Program

The phishing awareness program includes:

• Quarterly simulated phishing campaigns using realistic scenarios that reflect current threat intelligence.
• Progressive difficulty -- simulations increase in sophistication over time to continuously challenge and improve awareness.
• Immediate feedback -- personnel who interact with a simulated phishing email receive instant educational guidance explaining what indicators they missed.
• Reporting mechanism -- all personnel are encouraged to report suspected phishing emails using the designated phishing report button or forwarding to the security team.

Metrics Tracked

Remediation

Personnel who fail a phishing simulation (e.g., click a link or submit credentials) are automatically enrolled in targeted additional training. Repeated failures across multiple quarters will trigger a one-on-one coaching session with the InfoSec team and notification to the individual's manager.

Role-Based Training

In addition to general awareness training, personnel receive specialized training based on their roles and responsibilities.

Developers

• Secure coding practices aligned with the OWASP Top 10 vulnerabilities.
• Dependency management -- identifying and mitigating risks from third-party libraries and open-source components.
• Code review security -- incorporating security considerations into peer review processes.
• Secrets management -- proper handling of API keys, tokens, and credentials in code and configuration.
• Security testing -- integration of static analysis, dynamic testing, and vulnerability scanning into the development lifecycle.

System Administrators

• Hardened configurations -- applying security baselines and benchmarks (e.g., CIS Benchmarks) to systems and infrastructure.
• Access management -- implementing least-privilege principles and managing privileged accounts.
• Incident response -- identification, containment, and escalation procedures for infrastructure-related security events.
• Patch management -- timely application of security patches and updates across managed systems.
• Logging and monitoring -- ensuring adequate audit trails and security event monitoring.

Management

• Risk awareness -- understanding organizational risk posture and the role of security in business decisions.
• Regulatory obligations -- awareness of applicable compliance frameworks (SOC 2, GDPR, CCPA, and others).
• Security governance -- accountability for team compliance with security policies and training requirements.
• Budget and resource allocation -- supporting adequate investment in security tools, training, and personnel.

Data Handlers

• Data protection principles -- understanding confidentiality, integrity, and availability as they apply to data handling.
• GDPR and privacy awareness -- rights of data subjects, lawful processing bases, and cross-border data transfer requirements.
• Data classification and handling -- identifying data sensitivity levels and applying appropriate controls for storage, transmission, and disposal.
• Breach notification -- understanding obligations and procedures in the event of a data breach.

Specialized Training

Beyond role-based training, certain personnel and teams receive additional specialized training based on their functions.

Incident Response Team

• Annual incident response training covering detection, analysis, containment, eradication, and recovery procedures.
• Tabletop exercises conducted at least annually, simulating realistic breach scenarios to test team readiness and coordination.
• Post-exercise reviews to identify gaps and update incident response plans accordingly.

Data Protection Personnel

• In-depth training on data protection regulations, including GDPR, CCPA, and sector-specific requirements.
• Training on data subject access request (DSAR) handling and privacy impact assessments.
• Updates on regulatory changes and enforcement actions.

Privileged Access Users

• Enhanced security training covering the elevated risks associated with administrative and privileged accounts.
• Training on secure use of privileged access management (PAM) tools.
• Awareness of insider threat indicators and reporting mechanisms.

New Technology and System-Specific Training

• Targeted training provided when new technologies, platforms, or systems are introduced into the environment.
• Security considerations specific to the technology, including configuration hardening and known vulnerability classes.
• Training delivered prior to production deployment to ensure personnel are prepared to operate systems securely.

Training Delivery Methods

InContext Solutions uses a variety of delivery methods to maximize training effectiveness and engagement:

• Online Learning Management System (LMS) -- Primary platform for delivering, tracking, and reporting on training modules. Accessible at any time for self-paced completion.
• Instructor-led sessions -- Used for specialized topics requiring hands-on exercises, discussion, or demonstration (e.g., incident response tabletops, secure coding workshops).
• Lunch-and-learn sessions -- Informal, voluntary sessions covering timely security topics, new threats, or lessons learned from recent incidents.
• Security bulletins and advisories -- Regular communications distributed via email and internal channels to alert personnel to emerging threats, vulnerabilities, and security tips.
• Just-in-time training -- Contextual training triggered by specific security events, such as a failed phishing simulation, a policy violation, or onboarding to a new system.

Compliance Tracking

Training completion is tracked and reported to ensure organizational compliance with this policy.

• All training assignments and completions are recorded in the learning management system (LMS).
• Monthly completion reports are generated and distributed to department heads, highlighting completion rates and identifying personnel with outstanding requirements.
• Escalation process for non-completion:

• Annual compliance summary provided to senior leadership as part of the security program review.

Program Governance

The Security Awareness and Training Program is owned and administered by the Information Security (InfoSec) team, with the following governance structure:

• Program design and delivery -- The InfoSec team is responsible for developing training content, selecting delivery platforms, scheduling training activities, and managing the phishing simulation program.
• Annual program review -- The program is reviewed and updated at least annually to reflect changes in the threat landscape, regulatory requirements, organizational structure, and lessons learned from incidents.
• Metrics-driven improvement -- Program effectiveness is measured through quantitative metrics, including:
  • Training completion rates across the organization.
  • Phishing simulation performance trends (click rate, report rate).
  • Correlation between training participation and security incident reduction.
  • Employee feedback and satisfaction scores from training evaluations.
• Management review -- Program metrics and effectiveness are presented to senior leadership at least annually as part of the broader security program review, ensuring executive visibility and support.

Non-Compliance

Adherence to this policy is mandatory for all personnel within scope.

• Failure to complete mandatory training within the specified timeframe may result in restricted or suspended access to InContext Solutions systems and data until training obligations are fulfilled.
• Repeated non-compliance -- Personnel who consistently fail to complete required training or who demonstrate a pattern of disregard for security awareness obligations may be subject to disciplinary action, up to and including termination of employment or contract, in accordance with applicable human resources policies.
• Manager accountability -- Managers are responsible for ensuring their team members complete all required training on time and may be held accountable for persistent non-compliance within their teams.

Related Policies

• Acceptable Use Policy
• Data Protection Policy
• Security Incident Response Policy

Revision History