Purpose #
Nested Knowledge has a responsibility to educate our personnel on security practices and to comply with federal regulations related to security training and controls. This policy describes our plan to educate users on security practices.
Scope: This policy affects all employees, contractors, and consultants of Nested Knowledge.
Security Awareness Training Policy #
Upon hiring, Nested Knowledge requires all employees and contractors to review and demonstrate understanding of security policies. Developers and others with access to sensitive data system must undergo additional security training relevant to their job duties.
Security awareness training is repeated for all personnel on an annual basis. Training includes a quiz on the content of each policy, but the training format is subject to change.
When policies are updated, we ensure that all employees have ready access to the most recent version. All employees with roles in incident response, data protection, or data recovery must review and sign off on the corresponding policy.
| Training | Delivered to |
|---|---|
| Acceptable Use of IT Resources | All |
| Incident Response | Incident Response Team |
| Cloud Security | Development Team |
| Information Security | All |
| Wireless Connection | All |
| Secure Development | Development Team |
| Disaster Recovery | All |
| Security Awareness | All |
| GDPR Compliance | All |
| Remote Access and Workstation Safety | All |
Developer Training #
Developers are expected to be familiar with common vulnerabilities in web applications, how to detect them, and how to mitigate them. To standardize this expectation, OWASP modules & guidelines are trained. Specifically:
- All developers perform an annual review of the OWASP Top 10 and pass a practical quiz relating to vulnerabilities within.
- Each developer annually completes a randomly selected test from the OWASP Web Security Testing Guidelines (WSTG) on the Nested Knowledge software
- Scenarios will be selected and assigned by the Technical Lead using our issue management software
- Each scenario includes a description of the threat, and testing methods. The developer inventories surface area, and performs a test/penetration in a development environment, as applicable.
- The developer writes up their approach & findings in the issue, which is then reviewed by the technical lead.
- Any developer introducing a vulnerability identified in code review or later is expected to:
- Study the corresponding OWASP Cheat Sheet(s), when relevant.
- Demonstrate understanding of the threat to the technical lead, with regards to both the code instance and the general threat model.
- With the technical lead, perform a review of relevant code examples in the code base and explain the mitigations used.
- OWASP Global AppSec training & webinar attendance is assigned on a discretionary basis (by the technical lead) for developers failing to achieve & demonstrate expected understanding of the above materials and exercises, or junior members of the team.
Data Protection Training Policy #
Employee training requirements are based on the data classification system. All employees and contractors will be provided with our data protection policy. Those who deal with confidential data, restricted use data, or high-risk personal data will be required to demonstrate understanding of our data protection and data breach notification procedures.
Policy Enforcement #
Employees who fail to review and comply with our information security policies, including the access control and incident management policy, will be issued a warning and required to demonstrate comprehension of security rules and procedures. Continued failure may result in disciplinary action.
Revision History #
| Author | Date of Revision/Review | Comments |
|---|---|---|
| K. Cowie | 12/15/2021 | Drafted |
| K. Holub | 4/12/2024 | Adding listing of all current policies |
| K. Cowie | 10/29/2024 | Revised |
