A.7.2.2 Resolver Security Awareness and Training Policy

1. Purpose, scope, and users

The Purpose of the policy is to improve the security and confidentiality of information by implementing a security awareness and training program for all Resolver Full time and Contract employees, including management.

Resolver understands that “people”, not necessarily technology, are often the largest threat to security and sensitive information and will make every effort to ensure all Resolver’s full-time employees, Contract team members, and Management are aware and adhere to the policy.

2. Reference documents

ISO/IEC 27001:2013 standard, control A.7.2.2

3. Policy

All Full time and Contract team members must be trained in and understand all Resolver security policies and procedures. In addition, all Full time and Contract team members are trained on how to identify, report, and prevent potential security incidents.

Security awareness training is an on-going activity at Resolver. Periodic, at least annual, mandatorily required security awareness training sessions keep Full time and Contract team members up to date with potential new threats. The frequency and form of these reminders vary and include things like security-related notices, emails, and verbal communication.

Resolver has developed specific security policies to identify core activities such as security reminders, protection, login monitoring, and password management. All Full time and Contract staff are trained on these policies as part of their orientation.

4. Responsibility

Resolver Full time and Contract team members are responsible for understanding and following all security-related policies and procedures, and asking their manager for clarification when needed. The Management team is responsible for ensuring that their staff is trained and is up to date on the latest security threats.

5. Implementation

As part of the onboarding process, all new Resolver Full-time employees, Contract team members, and Management staff all are required to complete security awareness training. In addition to this general training, specific, more targeted training is provided according to employee role, as an example, all developers and Quality assurance engineers are required to complete annual Secure Coding Awareness Training.

In order to provide the most updated security awareness training, Resolver utilizes a third-party security awareness training platform (KnowBe4) that helps us keep our users on their toes with security top of mind.

The list of mandatory required training is detailed on our internal InfoSec Portal.

The content, as well as completeness monitoring of the required training, is provided via Resolver-to-Learn (R2L) portal.

All mandatory training should be completed within 60 days after the first day of employment.

Resolver has also ensured that periodic reminders are in the place of the policy’s existence and the latest version of the policy is kept for reference on our internal document-sharing site.

6. Validity and document management

This document is valid as of July 2020.

The owner of this document is an Information Security Analyst who must check and, if necessary, update the document at least once a year.

EFFECTIVE ON: September 2020

REVIEW CYCLE: Annual at least and as needed

REVIEW, APPROVAL & CHANGE HISTORY: Last time reviewed and approved in August 2020 by Resolver’s Information Technology Security team.