IllumiDesk Security Docs
  • IllumiDesk Team Handbook
  • People Group
    • Introduction
    • General Employment
    • Employment Status & Recordkeeping
    • Working Conditions & Hours
    • Employee Benefits
    • Employee Conduct
    • Timekeeping & Payroll
  • Security and Compliance
    • Security Controls
      • BC.1.01 - Business Continuity Plan
        • IllumiDesk Business Continuity Plan
        • IllumiDesk Disaster Recovery
        • IllumiDesk Reference Architectures
        • IllumiDesk Handbook listing of DR for Databases
      • BC.1.0.2 - Business Continuity Plan: Roles and Responsibilities
      • BC.1.03 - Continuity Testing
      • BC.1.04 - Business Impact Analysis
        • Business Impact Analysis in the handbook
        • Data Protection Impact Assessment (DPIA) Policy
        • Data Protection Impact Assessments or DPIAs
        • UX Department
        • Triage Operations - Communication about expected automation impact
        • NIST BCP with reference to BIA
      • CFG.1.01 - Baseline Configuration Standard
        • Laptop or Desktop System configuration
        • Configuring New Laptops
        • Security Best Practices
      • CFG.1.03 - Configuration Checks
        • Production Change Requests Policy
      • CM.1.01 - Change Management Workflow
      • CM.1.02 - Change Approval
      • CM.1.03 - Change Management Issue Tracker
      • CM.1.04 - Emergency Changes
      • DM.1.01 - Data Classification Criteria
        • Data Classification Policy
      • DM.2.01 - Terms of Service
        • Application Terms of Use
      • DM.4.01 - Encryption of Data in Transit
        • Deprecate support for TLS 1.0 and TLS 1.1
      • DM.7.03 - Data Retention and Disposal Policy
      • IAM.1.01 - Logical Access Provisioning
        • Access Requests
        • Access Management Process
      • IAM.1.02 - Logical Access De-Provisioning
        • Access Management Process
        • Logical Access Deprovisioning
        • Access Reviews
        • IllumiDesk Offboarding Guidelines
      • IAM.1.04 - Logical Access Review
        • Access Reviews
      • IAM.1.05 - Transfers: Access De-Provisioning
        • Access Control Policy and Procedures
        • Job Transfers
        • Access Change Request
      • IAM.1.06 - Shared Logical Accounts
        • Security Process and Procedures for Team Members
        • Access Management Process
      • IAM.1.08 - New Access Provisioning
        • Access Requests
        • Access Management Process
      • IAM.2.01 - Unique Identifiers
        • Unique Account Identifiers
        • Access Control Policy and Procedures
        • Section on shared accounts in Okta handbook page
        • Access Management Process
      • IAM.2.02 - Password Authentication
      • IAM.2.03 - Multi-factor Authentication
      • IAM.3.02 - Source Code Security
      • IAM.4.01 - Remote Connections
      • IAM.6.01 - Key Repository Access
      • IR.1.01 - Incident Response Plan
      • IR.1.03 - Incident response
      • IR.1.04 - Insurance Policy
      • IR.2.02 - Incident Reporting
      • NO.1.01 - Network Policy Enforcement Points
      • PR.1.01 - Background Checks
      • RM.1.01 - Risk Assessment
      • RM.1.02 - Continuous Monitoring
        • Security Compliance
      • RM.1.04 - Service Risk Rating Assignment
      • RM.1.05 - Risk Management Policy
      • RM.3.01 - Remediation Tracking
      • SDM.1.01 - System Documentation
      • SG.1.01 - Policy and Standard Review
      • SG.2.01 - Information Security Program Content
      • SG.5.03 - Security Roles and Responsibilities
        • Incident Management Roles and Responsibilities
      • SG.5.06 - Board of Director Bylaws
        • Governance Documents
      • SG.5.07 - Board of Directors Security Program Content
        • Audit Committee Agenda Planner
      • SLC.1.01 - Service Lifecycle Workflow
      • SLC.2.01 - Source Code Management
      • SYS.1.01 - Audit Logging
      • SYS.2.01 - Security Monitoring Alert Criteria
      • SYS.2.07 - System Security Monitoring
      • TPM.1.01 - Third Party Assurance Review
      • TPM.1.02 - Vendor Risk Management
      • TRN.1.01 - General Security Awareness Training
        • Security Awareness Training
      • TRN.1.02 - Code of Conduct Training
      • VUL.1.01 - Vulnerability Scans
      • VUL.1.03 - Approved Scanning Vendor
      • VUL.2.01 - Application & Infrastructure Penetration Testing
      • VUL.3.01 - Infrastructure Patch Management
      • VUL.3.02 - End of Life Software
      • VUL.4.01 - Enterprise Protection
      • VUL.5.01 - Code Security Check
      • VUL.6.01 - External Information Security Inquiries
  • VPAT Version 2.3
Powered by GitBook
On this page
  • Control Statement
  • Context
  • Scope
  • Ownership
  • Additional control information and project tracking
  • Policy Reference
  • Framework Mapping
  1. Security and Compliance
  2. Security Controls

TRN.1.01 - General Security Awareness Training

Control Statement

All IllumiDesk team-members complete security awareness training, which includes updates about relevant policies and how to report security events to the authorized response team. Records of training completion are documented and retained for tracking purposes.

Context

At IllumiDesk , we use internal training modules developed by the Security Operations team as IllumiDesk's security awareness training. In the past, security awareness training has only been a task associated with on-boarding as a new IllumiDesk team-member. As we adopt new compliance frameworks and work towards an audit certification of some of these frameworks, we will need to increase the cadence of this training. Security awareness training can be seen as a hassle and disruption from normal work, but these trainings can have real value not only to IllumiDesk as a company, but also to IllumiDesk team members in their personal lives. Taking the time to go through this training will ensure team members are up to date on security best practices which will help to minimize IllumiDesk's risk as a company.

  • Because this field changes so quickly, and because of our changing needs for compliance as a company, we now require all IllumiDesk team-members to complete this training at least every 12 months.

Scope

This control applies to all IllumiDesk team-members.

Ownership

Control ownership:

  • People Operations

Process Owner:

  • People Operations

  • Security Operations

People Ops are responsible for deploying the process to ensure 100% of employee testing and validating that every IllumiDesk team member has completed training in the current year. Security Ops is consulted for the content and effectiveness of the control. All IllumiDesk team members are responsible for completing their security awareness training.

Additional control information and project tracking

Currently the security training is delivered through a recorded video and team member confirms acknowledgement in a form. The training is linked from onboarding issue template as part of the new hire tasks.

For audit evidence of compliance, we need to be able to demonstrate 100% completion of training by all team members.

Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the General Security Awareness Training control issue.

Policy Reference

  • Handbook policy on Security Awareness Training

Framework Mapping

  • SOC2 CC

    • CC1.1

    • CC1.4

    • CC1.5

    • CC2.2

    • CC2.3

PreviousTPM.1.02 - Vendor Risk ManagementNextSecurity Awareness Training

Last updated 1 year ago