User Awareness Procedure
1. Purpose
The purpose of this User Awareness Procedure is to provide detail on the practices that RFG Holdings (RFG) follows to ensure that IT users are well informed and vigilant regarding cybersecurity.
2. User Awareness Training
User Awareness training will be assigned to RFG IT users monthly via Mimecast. The training will include the following topics:
a. Data in motion: ways in which employees move sensitive data within secure company networks and the risks associated with transferring to personal devices and accounts.
b. Data privacy: handling personal information securely and ethically.
c. Devsecops: security concerns that developers face when building, testing, launching and maintaining company programs, applications and systems.
d. Executive Training: addresses how company leaders and board members need to understand the exposure and risk, develop plans to mitigate the impact of breaches and drive the company conversation about security.
e. Info Protection: addresses employees responsibility for keeping sensitive information safe
f. Office Hygiene: stresses the importance of creating a physical working environment that keeps information safe
g. Passwords: addresses the importance of creating unique, hard to hack passwords, the dangers of using the same password for everything and the careless ways people expose their passwords to co-workers and strangers.
h. Phishing: addresses the dangers of emails and ransomware scams as well as SMS (smishing) and voice/phone (vishing) attacks, where hackers deceive employees into sharing and exposing login and other sensitive information.
i. Custom Modules: allows uploading of custom training material.
3. Communication Plan
a. Users will be notified via email when training has been assigned.
b. The users’ manager will be notified of outstanding training.
c. Alerts and announcements will be made for emerging threats.
4. Testing and Assessment
a. Users will undergo a simulated phishing exercise at least annually.
b. Users will complete knowledge assessment after training sessions.
5. Incident Reporting
a. Users are to follow the incident management procedure for reporting of security incidents.