Security Awareness Training Policy


The purpose of this Security Awareness Training Policy is to establish guidelines and requirements for the ongoing education and training of all employees, contractors, and third-party vendors of sapnagroup regarding cybersecurity best practices and threats. This policy aims to ensure that all individuals associated with the organization are well-informed and equipped to protect sensitive data and systems from security breaches.


This policy applies to all employees, contractors, and third-party vendors who have access to the company’s or its clients information systems, data, and networks.

Policy Statement

Training Requirements

  • All employees, contractors, and third-party vendors must participate in annual security awareness training sessions.
  • Additional training sessions may be required for employees with specific cybersecurity responsibilities or access to sensitive data.
  • New employees and contractors must complete security awareness training within 60 days of their start date.
  • Training content will cover topics such as password management, email security, phishing awareness, data protection, and reporting security incidents.

Training Delivery

  • Security awareness training will be provided through internal training sessions, workshops, or other approved methods.
  • The training content will be regularly updated to reflect the latest cybersecurity threats and best practices.


  • Non-compliance with security awareness training requirements may result in disciplinary action, including but not limited to suspension or termination of employment or contract.

Reporting Security Incidents

  • All employees, contractors, and third-party vendors are responsible for promptly reporting any suspected security incidents or breaches to the IT department or the designated security officer.


  • Employees, Contractors, and Third-Party Vendors
  • Attend and complete security awareness training as required.
  • Actively participate in maintaining a secure work environment.
  • Report security incidents promptly.

IT Department

  • Develop and maintain the security awareness training program.
  • Monitor and track training completion.
  • Provide support and guidance to employees, contractors, and third-party vendors regarding cybersecurity best practices.

Security Training Officer

  • Oversee the implementation and effectiveness of the security awareness training program.
  • Investigate and respond to reported security incidents.
  • Provide regular reports to senior management on training compliance and incident response.

Review and Revision

  • This policy will be reviewed annually and updated as needed to reflect changes in cybersecurity threats, technology, or organizational requirements.

Constituents of the Security Awareness Training Program:

  • Employees: All staff members, including full-time, part-time, and remote employees.
  • Contractors: Individuals or organizations providing services to the organization on a contractual basis.
  • Third-party Vendors: External entities that have access to the organization’s systems or data, such as cloud service providers or software vendors.
  • IT Department: Responsible for developing, implementing, and maintaining the security awareness training program.
  • Security Officer: Oversees the program’s implementation and ensures its effectiveness.
  • Senior Management: Receives regular reports on training compliance and incident response.
  • Training Content Providers: External or internal entities responsible for developing the training materials.
  • Auditors and Compliance Teams: May review the organization’s security awareness training program for compliance with industry standards and regulations.