xcPEP Security Awareness and Training Policy

This Security Awareness and Training Policy outlines the framework for educating all users of the xcPEP service on their responsibilities in maintaining a secure information environment. This policy aims to minimize security risks, protect sensitive data, and ensure compliance with relevant regulations.

1. Purpose and Scope

This policy applies to all individuals who access, use, or manage the xcPEP SaaS service, including employees, contractors, and any authorized third-party users. It establishes the requirements for security awareness training to foster a culture of security and empower users to identify and respond to potential threats effectively. Adherence to this policy is mandatory for all users.

2. General Principles

All users are responsible for understanding and adhering to security best practices. Advanced Structures India Private Limited is committed to providing regular and relevant security awareness training to equip users with the necessary knowledge and skills. A proactive approach to security education will be maintained to address evolving threats and vulnerabilities.

3. Training Requirements

All new users will undergo mandatory security awareness training as part of their onboarding process before gaining access to the xcPEP service. Existing users will receive recurrent security awareness training at least annually. Additional training may be mandated based on changes in technology, threats, or regulatory requirements. Training content will cover, but not be limited to, the following key areas:

• Data Classification and Handling: Understanding different data classifications (e.g., public, confidential, restricted) and the appropriate procedures for handling, storing, and transmitting each.
• Password Management: Best practices for creating strong, unique passwords and the importance of multi-factor authentication (MFA).
• Phishing and Social Engineering: Recognizing and reporting phishing attempts, suspicious emails, and social engineering tactics.
• Malware Protection: Awareness of various types of malware, how they spread, and methods to prevent infection.
• Incident Reporting: Procedures for identifying and reporting security incidents, including data breaches, suspicious activities, or system anomalies.
• Acceptable Use Policy (AUP) Review: Reinforcement of the xcPEP Acceptable Use Policy and its implications for secure service usage.
• Remote Work Security: Guidelines for securing devices and networks when working remotely.
• Physical Security: Basic awareness of physical security measures to protect company assets and information.

4. Training Delivery

Training will be delivered through various methods, including online modules, interactive presentations, workshops, and awareness campaigns (e.g., security tips via email, posters). The training program will be designed to be engaging and accessible, catering to different learning styles. Completion of mandatory training modules will be tracked, and records will be maintained.

5. Compliance and Enforcement

Compliance with this policy is a condition of using the xcPEP service. Failure to complete mandatory training or adhere to the security principles outlined in training may result in disciplinary action, up to and including suspension or termination of access to the service, in accordance with Advanced Structures India Private Limited's disciplinary procedures. Users are encouraged to actively participate in training and to seek clarification on any security-related concerns.

6. Policy Review and Updates

This xcPEP Security Awareness and Training Policy will be reviewed and updated at least annually, or more frequently as necessitated by changes in the threat landscape, technology, or regulatory requirements. Any updates to this policy will be communicated to all users.