Security Awareness Training Program

Ongoing security education for all team members

Public

Purpose

This program is designed to help all team members understand security responsibilities, threats, and best practices to protect Maelstrom AI’s information assets.

Training Requirements

New Hire Onboarding

Within first week:

  • Information security policies review
  • Acceptable use policy
  • Password and credential management
  • Phishing and social engineering awareness
  • Incident reporting procedures
  • Remote work security

Format: Self-paced reading + acknowledgment quiz Duration: ~2 hours Completion: Required before system access granted

Annual Refresher

All team members, once per year:

  • Policy updates review
  • Current threat surface
  • Recent incidents and lessons learned
  • New security tools or procedures

Format: Interactive session or self-paced module Duration: ~1 hour Tracking: Completion recorded

Role-Specific Training

Developers:

  • Secure coding practices
  • Supply chain security
  • Cryptographic implementation guidelines
  • Code review for security

Administrators:

  • Privileged access management
  • Incident response procedures
  • Key management
  • Audit log review

Training Topics

Core Security Concepts

Information Classification:

  • Public, Internal, Confidential, Restricted
  • How to classify information
  • Handling requirements for each level

Access Control:

  • Principle of least privilege
  • MFA importance
  • Password manager usage
  • Never share credentials

Zero knowledge Architecture:

  • What it means for security
  • Why we minimise PII collection
  • Privacy by design benefits

Threat Awareness

Phishing:

  • Recognising phishing emails
  • Red flags (urgency, suspicious links, unknown senders)
  • What to do: Don’t click, report to security@maelstrom.au
  • Real examples (sanitized)

Social Engineering:

  • Phone-based attacks (vishing)
  • Pretexting scenarios
  • Verify identity before sharing information
  • Report suspicious contacts

Supply Chain Attacks:

  • Malicious dependencies
  • Typosquatting
  • How we protect (SLSA, security scanning)
  • Vigilance in code review

Secure Development

Never:

  • Commit secrets to Git
  • Use weak cryptography
  • Skip security testing
  • Bypass code review

Always:

  • Use approved cryptographic libraries
  • Run security scans before merging
  • Review dependencies for vulnerabilities
  • Test security controls

Incident Reporting

Report immediately:

  • Phishing attempts (even if you didn’t fall for it)
  • Lost/stolen devices
  • Suspected malware
  • Unusual system behaviour
  • Accidental data exposure

How to report: security@maelstrom.au

No blame: Good-faith reporting encouraged

Training Methods

Self-Paced Learning

Materials:

Interactive Sessions

Security Review (included in quarterly management review):

  • Discuss recent threats
  • Share lessons learned
  • Review security metrics
  • Update awareness content

Note on Simulations

Phishing simulations and dedicated security meetings are not applicable for a sole operator. Security awareness is maintained through professional certifications (CISSP, Security+, PenTest+, SecurityX), continuous industry engagement, and quarterly management review.

Continuous Learning

Signal/Communication Channels:

  • Security tips shared regularly
  • Threat alerts when relevant
  • Celebrate good security practices

Documentation:

  • Transparent, always available
  • Updated as threats evolve
  • Searchable and cross-linked

Measurement

Metrics Tracked

  • Training completion rates (target: 100%)
  • Time to complete initial training (target: <1 week)
  • Incident reporting rate (higher is better - shows awareness)
  • Professional certification currency (maintained annually)

Quarterly Review

  • Analyse training effectiveness
  • Identify knowledge gaps
  • Update content based on incidents
  • Recognise security champions

Specialized Training

Cryptography

For those working with provii-crypto:

  • Threat modeling for cryptographic code
  • Side-channel attack awareness
  • Secure random number generation
  • Testing cryptographic implementations

Incident Response

For Security Lead and on-call:

  • Incident classification
  • Response procedures practice
  • Forensics basics
  • Communication protocols

External Resources

Recommended Reading:

  • OWASP Top 10
  • NIST Cybersecurity Framework
  • Australian Cyber Security Centre (ACSC) guidance
  • Supply chain security (SLSA documentation)

Conferences (if budget allows):

  • BSides (local security conferences)
  • OWASP chapter meetings
  • Cryptography conferences (for crypto team)

Acknowledgment

Required Acknowledgments:

  • Initial training: Sign acknowledgment form
  • Annual refresher: Electronic acknowledgment
  • Policy updates: Acknowledge within 14 days

Records: Maintained for audit purposes (3 years)

Continuous Improvement

After Security Incidents:

  • Immediate training on specific threat
  • Update training materials
  • Share lessons learned (blameless)

Based on Industry Trends:

  • Monitor CERT/CISA advisories
  • Update for new attack vectors
  • Incorporate emerging best practices
  1. Information Security Policy
  2. Acceptable Use Policy
  3. Incident Response

Document Information

  • Version. 1.1
  • Effective Date. 2025-01-13
  • Last Updated. 2026-05-21
  • Owner. ISMS Owner
  • Review Frequency. Annually
  • Next Review. 2026-11-21
  • Classification. Public