Security Awareness and Training Policy

1. Purpose, scope, and users

The Purpose of the policy is to improve the security and privacy of information by implementing a security and privacy awareness and training program for all Resolver Full time and Contract employees, including management.

Resolver understands that “people”, not necessarily technology, are often the largest threat to security and sensitive information and will make every effort to ensure all Resolver’s full-time employees, Contract team members, and Management are aware and adhere to the policy.

2. Reference documents

  • ISO/IEC 27001:2013 standard, control A.7.2.2
  • ISO/IEC 27701:2019 standard, control 6.4.2.2

3. Policy

All full-time employees and Contractors who may have access to sensitive or customer information must be trained in and understand all Resolver security policies and procedures.
In addition, all Full-time Contractors who may have access to sensitive or customer information are trained to identify, report, and prevent potential security incidents and data privacy breaches.

Security and privacy awareness training is an ongoing activity at Resolver.  Periodic, at least annual, mandatory security awareness training sessions keep full-time employees and Contract team members up to date with potential new threats.  The frequency and form of these reminders vary, including security-related notices, emails, and verbal communication.

Resolver has developed specific security and privacy policies to identify core activities such as security reminders, protection, login monitoring, and password management. All Full-time employees and Contractors who may have access to sensitive or customer information are trained on these policies as part of their orientation.

4. Responsibility

Resolver full-time employees and Contractors who may have access to sensitive or customer information are responsible for understanding and following all the security and privacy-related policies and procedures and asking their manager for clarification when needed.

The Management team is responsible for ensuring that their staff is trained and is up to date on the latest security threats.

5. Implementation

As part of the onboarding process, all new Resolver Full-time employees, Contractors who may have access to sensitive or customer information, and Management staff are required to complete security and privacy awareness training within 60 days from their joining date.

In addition to this general training, specific, more targeted training is provided according to employee role; for example, all developers and Quality assurance engineers are required to complete annual Secure Coding Awareness Training.

In order to provide the most updated security and privacy awareness training, Resolver utilizes a third-party security awareness training platform (KnowBe4) that helps us keep our users on their toes with security top of their minds.

The list of mandatory required training is detailed on our internal InfoSec Portal using the following link: https://resolver.atlassian.net/wiki/spaces/SEC/pages/208896014/Mandatory+required+trainings

The content and completeness monitoring of the required training are provided via Resolver-to-Learn (R2L) portal: https://resolvertraining.resolver.com/learn/signin .

All mandatory training should be completed within 60 days after the first day of employment.

Resolver has also ensured that periodic reminders are in place of the policy’s existence. The latest version of the policy is kept for reference on our internal document-sharing site.

6. Validity and document management

This document is valid as of August 2023.

The owner of this document is an Infosec & Compliance Lead who must check and, if necessary, update the document at least once a year.

EFFECTIVE ON: August 2023

REVIEW CYCLE: Annual at least and as needed