1. Document Control

• Document Title: Security Awareness Training Procedure

• Document Identifier: PRC-HR-003

• Version Number: v1.0

• Approval Date: <24 June 2025>

• Effective Date: <24 June 2025>

• Review Date: <24 June 2026>

• Document Owner: <Chief Information Security Officer>

• Approved By: <Security Governance Committee>

2. Purpose

The purpose of this procedure is to establish a structured, consistent, and ongoing Security Awareness Training program for all personnel at . The procedure is designed to ensure that all employees, contractors, and temporary workers understand their security responsibilities and are equipped to recognize, avoid, and report security threats such as phishing, social engineering, and insider threats.

This procedure fulfills requirements under SOC 2 Trust Services Criteria CC2.1 and CC2.2, which require that the entity (a) communicates its information security objectives and responsibilities to internal users, and (b) provides training to maintain security competence. Security awareness directly supports the protection of information systems, personal data, intellectual property, and business continuity, and is fundamental to fostering a risk-aware culture across the enterprise.

3. Scope

This procedure applies to all employees, contractors, and third-party personnel with access to 's information systems, networks, applications, or data assets. It is applicable regardless of job function, employment type, or geographic location.

This includes corporate staff, remote workers, support and operations personnel, and technical/engineering roles. The procedure also extends to third-party consultants, vendors, and temporary staff who are granted system or data access. All users must complete training in accordance with the frequency and guidelines established in this document.

4. Policy Statement

shall ensure that all personnel receive role-appropriate, up-to-date training on information security awareness. Security Awareness Training shall:

• Be completed within the first 5 business days of onboarding

• Be repeated at least annually, with mandatory refresher courses

• Be updated regularly to reflect current threats and compliance needs

• Include mechanisms for testing comprehension (e.g., quizzes or simulated phishing)

• Be documented and logged in the HRIS or Learning Management System (LMS)

No system access shall be granted until required training is completed. Department heads and HR are responsible for ensuring completion compliance within their teams. Security topics shall include, but are not limited to:

• Password hygiene and MFA

• Phishing and social engineering

• Data classification and handling

• Device and endpoint security

• Incident reporting protocols

5. Safeguards

The following procedural safeguards support implementation:

Each control is logged and subject to audit. Non-compliance alerts are escalated to HR and the CISO.

6. Roles and Responsibilities

• Chief Information Security Officer (CISO): Oversees the training strategy, content development, and effectiveness metrics. Ensures training aligns with threats and compliance.

• Human Resources (HR): Administers the training schedule, tracks completions, and enforces deadlines. HR works with managers to ensure compliance.

• IT Department: Implements technical controls to enforce training-dependent access and support simulated phishing campaigns.

• People Leaders (Managers): Ensure their team members complete training and reinforce key security messages.

• Employees/Contractors: Are accountable for completing training within required timelines and applying learned practices to their daily work.

7. Compliance and Exceptions

Compliance with this procedure is mandatory and enforced through quarterly reporting to executive leadership and Internal Audit. Exceptions to the standard training timeline (e.g., onboarding delays) must be approved by HR and the CISO in writing and documented in the exception log.

Audit logs from the LMS and phishing simulation platform are reviewed monthly to identify trends, gaps, and opportunities for improvement.

8. Enforcement

Failure to complete required security training may result in access restrictions or disciplinary action. Specific enforcement protocols include:

• First Missed Deadline: Reminder sent with 5-business-day grace period

• Second Missed Deadline: Immediate suspension of system access pending training completion

• Repeated Non-Compliance: Formal write-up, performance review impact, or HR escalation

• Contractors/Vendors: Immediate removal of access if non-compliant after 10 business days

• Phishing Failures: Targeted retraining and additional simulations

All enforcement actions are recorded in the personnel compliance file and subject to HR policy.

9. Related Policies/Documents

• POL-HR-002: Security Awareness and Training Policy (CC2.1, CC2.2)

• PRC-HR-001: Employee Onboarding Procedure

• PRC-HR-002: Employee Offboarding Procedure

• POL-ALL-002: Acceptable Use Policy

• POL-ALL-001: Information Security Policy

• SOC 2 CC2.1, CC2.2

• ISO 27001:2022 A.6.2.2 and A.7.2.2

10. Review and Maintenance

This procedure shall be reviewed annually by the CISO and updated to reflect emerging threats, regulatory updates, and feedback from security testing outcomes. Significant changes in organizational structure, tools (e.g., LMS), or employment practices may also trigger an early review.

Version control is maintained by the GRC function and tracked in the document management system.