🧠Security Awareness & Training
🧭 Planning:
Reviewed the organization’s security awareness program, training records, and employee acknowledgment processes as part of a broader ITGC and compliance audit (linked to regulatory expectations under frameworks such as ISO/IEC 27001 and NIST PR.AT-1).
🎯 Objectives:
-
Confirm mandatory security training is provided to all users
-
Assess completion rates and training frequency
-
Validate phishing simulations and employee responsiveness
-
Ensure policy acknowledgments are documented
📌 Procedures:
-
Reviewed annual training modules and completion logs
-
Sampled user training records across departments
-
Examined phishing simulation reports and follow-up actions
-
Verified acknowledgment of security policies and updates
📑 Working Papers:
-
WP-ITGC-SA001: Security awareness program review
-
Training logs, LMS exports, phishing test results, policy acknowledgment reports
📊 Findings:
-
❗ 15% of staff had not completed mandatory training within the required timeframe
-
❗ No formal tracking of training completion by third-party contractors
-
⚠️ Phishing simulation results showed low reporting rates in two departments
-
⚠️ Security policy acknowledgments were missing for new hires in one business unit
🧰 Tools Used:
Learning Management System (LMS), policy management portal, phishing simulation platform (KnowBe4), Excel
✅ Recommendations:
-
Enforce completion of security training within 30 days of onboarding
-
Extend training requirements and tracking to vendors and contractors
-
Conduct phishing simulations quarterly and report outcomes by department
-
Integrate policy acknowledgment into HR onboarding workflows
-
Regularly update training content to reflect emerging threats
