Connor Group

 Information Security

 

 

Security Education Training & Awareness Standard

 

Jan 2024

 

v.1.2

Introduction

Connor Group offers professional financial consulting to clients both foreign and domestic. The company excels in this by employing top-tier professionals who are highly qualified in their respective fields. To ensure compliance to legal and business requirements, these professionals and supporting business lines must also be fluent in protecting and defending access to sensitive information. As such, an Information Security Education Training and Awareness is necessary. This standard codifies the expectations of Information Security training for full time employees and independent contractors operating on behalf of Connor Group. This standard is one in a set of documents that together, form Connor Group's Information Security Management System (ISMS). 

 

Purpose

Connor Group is committed to ensuring the privacy and security of its Information Systems and information they house. This includes not only data with a legal requirement for protection, but all data considered sensitive such as financial, operational, and non-public personal data. To support this commitment, all Connor Group employees and independent contractors shall be given appropriate security training and reminders. 

 

Scope

This standard applies to all Connor Group employees, contractors, vendors, or any other individual or entity using an account that has access to sensitive data within the Connor Group environment.  

 

In the event of uncertainty regarding applicability, Information Security can be contacted for clarification or guidance.  

 

Definitions

References for terminologies or acronyms used within Information Security Standards can be accessed within the Glossary of Definitions (https://bookstack.soldenservices.com/books/policies-processes-procedures/page/glossary-of-definitions)

 

Policy

  1. All Connor Group workforce members, including management and remote workforce members, will receive initial and periodic role-appropriate security training to increase security knowledge and technical abilities. 
  2. Initial security awareness training shall occur within 30 days of employment. Appropriate documentation of successful completion of initial and recurrent training shall be a prerequisite for an employee’s or Independent Contractor’s continued system access. 
  3. The Training Officer will ensure that workforce members are regularly reminded of general information security risks and how to mitigate them.  
  4. The Training Officer will ensure staff are regularly reminded of Connor Group’s security policies, procedures and initiatives, and how they minimize security risks. 
  5. The Training Officer will ensure workers are regularly reminded how to securely create, change and protect passwords used to authenticate to Connor Group resources. 
  6. The Training Officer is responsible for creation or sourcing of Information Security Training and Awareness reminders. The Training Officer or delegate is responsible for record keeping of security training and awareness. 

 

 

Standard

  1. The Training Officer, or designee, will provide security awareness training. 
    1. The content will be approved by the Training Officer before disclosure to the workforce members. 
  2. The Training Officer will annually review the New Employee Orientation procedures to confirm security content is relevant. 
  3. The Training Officer or designee will ensure information security training is based on a workforce member’s responsibilities and daily tasks. The Training Officer will define training appropriate categories associated with job role, as needed.
  4. The Training Officer in accordance with Human Resources will ensure that the responsibility for the safety of PI is included in the work force member’s job description. 
  5. The Training Officer or designee will ensure training includes the following topics, as appropriate to job responsibility: 
    1. Sensitive Personal Data (PI) 
      1. The nature of PI and recognizing it in daily work.
      2. Organizational privacy and security rules, policies and procedures and the sanctions, civil and criminal penalties prescribed for wrongful actions with PI
      3. Overall discussion of assets, threats, vulnerabilities and safeguards specific to PI
    2. Basic information security principles including: 
      1. Principle of need-to-know 
      2. Principle of least privilege 
      3. Principle of separation of duties 
      4. Principle of defense-in-depth 
      5. Processes for suggesting security improvements 
      6. Understanding of viruses and other forms of malicious software 
      7. User account requirements, maintenance, and accountability
      8. Password requirements, maintenance, and best practices
      9. Social engineering
    3. Incident identification and reporting, in accordance to company policy, including: 
      1. Symptoms of an incident
      2. How and whom to notify immediately in the event of a suspected incident
      3. Next steps to follow when discovering an incident
    4. Social Engineering with the following emphasis:
      1. Adhering to policies and procedures, despite claims by persons that they should do otherwise
      2. The practice of verifying an official’s identity, position and/or authority prior to taking direction from that person with respect to security measures.  
  6. The Training Officer or designee will develop and execute a bi-annual (twice a year) Security Training and Awareness Campaign plan including topics, dates, and channels of communication. 
    1. As determined by procedure or timetable, training will provide staff members with appropriate information and reminders on subjects including, but not limited to: 
      1. Applicable new or changed information security policies, requirements, controls, or processes.
      2. Industry news
      3. Emergent and significant risks to Connor Group’s information systems and data. 
      4. Security best practices. 
      5. In consultation with legal counsel, additional topics such as internal incidents or complaints
    2. Training results will be reported to executive staff for visibility and accountability.
  7. To maintain phishing awareness, a phishing simulation program will be maintained for individuals with company-provided email. The following will be tracked to measure Security Awareness of the company:
  1. The aggregate failure rate of users month over month.
  2. Individual phishing failure rates with remediation training for users who fail phishing simulations
  3. Phish simulation reporting rate to identify Active Security Awareness

 

Revision History

Revisions require approval by the Director of Information Security and dissemination to applicable business units prior to release.

 

Version 

Detail 

Author 

Date 

1.1

Formatting revised with requirements under Policy and Standard enumerated for easier reference.

Connor Group Information Security

May 2022

1.2

Annual Review

Connor Group Information Security

Jan 2024