Security awareness training
Last reviewed 2026-05-16
Requirement
All personnel with production access, customer-data access, source-code access, vendor-dashboard access, or ongoing operational responsibility complete security-awareness training within 30 days of their start date, and annually thereafter. The assigned training content is the onboarding module suite listed below. Completion is tracked through the admin onboarding portal at /admin/onboarding, which writes signed acknowledgment records to Firestore and emits audit-log events. Restricted training evidence is retained for audit review.
Limited internal-document volunteers receive access-appropriate security and confidentiality instructions before documents are shared. If a volunteer's access expands to production systems, customer data, source code, vendor dashboards, or ongoing operational responsibility, the full training requirement applies before the expanded access is granted.
Current state (2026-05-11): Current personnel with operational or sensitive-system responsibilities have completed the required onboarding and training module suite. Future annual acknowledgments and future hire or sensitive-access collaborator completions will be recorded through the authenticated onboarding process.
Required Training Module
Personnel acknowledge the assigned training modules, not this policy's maintainer resource list. The required sign-off set for standard onboarding and annual re-attestation is:
- acceptable use: acceptable-use and confidentiality expectations.
- security awareness training module: core security awareness.
- privacy and data handling training module: privacy, data classification, and customer-data handling.
- responsible AI training module: responsible use of AI systems and AI output review.
- incident reporting training module: what to report and how to preserve evidence.
- device and physical security training module: endpoint, authenticator, and remote-work physical security.
Role-specific modules are assigned before a person takes the relevant responsibility and annually while that responsibility remains assigned:
- accessibility training module: accessibility skill maintenance for the Accessibility Lead and anyone designing, building, reviewing, testing, approving, or supporting user-facing UI.
Curriculum Requirements
Every cycle covers, at minimum:
1. Phishing: recognizing social-engineering, executive-impersonation, MFA-fatigue attacks; reporting procedure. 2. Password and MFA hygiene: password managers, unique passwords, hardware keys, MFA on every account. 3. Device hygiene: encryption, screen lock, OS patching, software install policy. 4. Data handling: classification (per data classification), PII handling, no pasting customer data into unapproved tools, including AI tools. 5. Incident reporting: when and how to report; no-blame culture. 6. Acceptable use recap (per acceptable use). 7. Physical security: travel, lost devices, shared-workspace hygiene. 8. Privacy fundamentals: GDPR / CCPA basics; user rights; DSR handling. 9. AI safety: what data may and may not be shared with which AI tools; HiringCoachAI AI Use Policy summary.
Maintainer Reference Sources
The Security Officer may use these references to maintain and improve the assigned training module. Personnel are not asked to sign off on this list unless a specific source is separately assigned.
- CISA Cybersecurity Awareness:
cisa.gov/secure-our-world - Google's "Applied Digital Skills" security modules
- NIST NICE Cybersecurity Workforce content
- OWASP Top 10 walkthrough (for engineers)
Engineering personnel additionally complete an annual OWASP Top 10 refresher and secure-coding material scoped to our stack (Next.js, Firebase, Firestore rules, OAuth/NextAuth).
Phishing simulations
Cadence (when at least 2 sensitive-access recipients exist): The Security Officer sends one simulated phishing email per quarter to personnel with ongoing operational or sensitive-system access. Click-through rate, time-to-report, and report rate are tracked; retraining is triggered for anyone who clicks on two simulations in a rolling year.
Simulated phishing exercises apply when there is a personnel population with ongoing operational or sensitive-system access. Until then, phishing-awareness training and incident-reporting expectations remain part of onboarding and annual training.
Tooling: Simulations are handcrafted and logged manually today. Adoption of a paid platform is under internal evaluation.
Evidence
- Completion records: Firestore
complianceTrainingLogentry per person per document with date, document hash, signature statement, and signer identity; latest rollups are stored underusers/{uid}/complianceAcknowledgments/{documentId}. - Phishing-simulation results: restricted evidence record with date, template, delivery count, and click count.
Role-based additional training
| Role | Additional training |
|---|---|
| Security Officer | Annual review of NIST CSF, CIS IG1; subscribe to CISA advisories |
| Accessibility Lead | WCAG 2.1 Level AA (current verified conformance, customer-contract and HECVAT baseline), WCAG 2.2 Level AA (forward-looking target), Section 508 / EN 301 549 context, assistive-technology testing concepts, accessibility remediation tracking, and ACR / VPAT maintenance via accessibility training module |
| Engineering | OWASP Top 10; secure-coding; Firestore rules; NextAuth threat model; AI safety |
| UI engineering or product design | Keyboard operation, focus order, accessible names, semantic landmarks, color contrast, reflow, reduced motion, jsx-a11y, jest-axe, Playwright + Axe, and manual accessibility review via accessibility training module |
| Support (if applicable) | DSR handling; phishing recognition from customer impersonation |
Onboarding-specific
Within first 30 days, new personnel with ongoing operational or sensitive-system access:
- Read and acknowledge the required onboarding documents in
/admin/onboarding, including acceptable use. - Complete and acknowledge the required training modules listed above.
- Complete and acknowledge any assigned role-specific training module before taking that role's responsibilities.
- Enroll MFA on every required account.
- Attest to device-hygiene compliance.
- Receive walkthrough of incident response and how to report concerns.
Annual attestation
At each annual training, all personnel with ongoing operational or sensitive-system access re-acknowledge the AUP and any material policy changes in the preceding year.
Metrics reported quarterly
- % personnel current on annual training
- Phishing-sim click rate
- Reported suspected-phishing incidents (real and simulated)