Security Awareness & Training Controls
Purpose
Bramble develops a security and privacy-minded workforce through continuous user education activities and exercises about evolving threats, compliance obligations and secure workplace practices, in order to refine and improve on existing training and to make sure all Bramble team-members are aligned on the values of the organization.
Scope
This control applies to all Bramble team-members with certain trainings focused on product engineers and product security PMs.
This control applies to all product engineers and product security PMs.
Ownership
Control ownership: People Operations
Process Owner:
- People Operations are responsible for deploying the process to ensure 100% of employee testing and validating that every Bramble team member has completed training in the current year.
- Security Operations is consulted for the content and effectiveness of the control.
Controls
| Control Number | Control Title | Control Statement | Goal | TOD | TOE |
|---|---|---|---|---|---|
| SAT-01 | Security & Privacy-Minded Workforce | Bramble Group Corp. has implemented mechanisms for security workforce development and awareness controls. | Does the organization facilitate the implementation of security workforce development and awareness controls? | 1. Identify policies and procedures responsible for identification and implementation of security awareness and training programs. 2. Examine policies and procedures for: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; compliance; and implementation requirements. |
1. Examine formal policies and procedures to confirm evidence and document they are reviewed and approved in accordance to TOD. 2. Pull a population of all training records. 3. Examine training records, or other relevant records, for a sample of security training completion based on organized-designed frequency. |
- Test of Design - (TOD) – verifies that a control is designed appropriately and that it will prevent or detect a particular risk.
- Test of Operating Effectiveness - (TOE) - used for verifying that the control is in place and it operates as it was designed.
Policy Reference
- Handbook policy Secure Coding Training
- Handbook policy Bramble Business Ethics and Code of Conduct
- Handbook policy on Security Awareness Training
- Code of Conduct Acknowledgement (Drata)
- Security Awareness Training Completed (Drata)
- Onboarding issue template