Owner: CHRO (delivery), with CISO (content)
Effective Date: May 15, 2026
Reviewed: Annually
Frameworks: SOC 2 CC1.4 / CC2.2 (training and communication); ISO/IEC 27001 A.6.3 (information-security awareness). Implements the Human Resources Security Policy.
Effective Date: May 15, 2026
Reviewed: Annually
Frameworks: SOC 2 CC1.4 / CC2.2 (training and communication); ISO/IEC 27001 A.6.3 (information-security awareness). Implements the Human Resources Security Policy.
Cadence
| Trigger | When | Owner |
|---|---|---|
| New-hire training | Within 30 days of start date | CHRO (delivery), CISO (content) |
| Annual refresher | Annually, by the employee’s hire anniversary (no later than 12 months after their most recent completion) | CHRO (assignment), CISO (content) |
| Role-specific training | At time of role change, then annually | Hiring manager (assignment), CISO + relevant policy owner (content) |
| Topical / out-of-cycle training | On any material change to threat landscape, policy, or after a relevant incident | CISO |
Content
The baseline training is delivered through Vanta and covers, at minimum:- Neuroscale’s information-security policy set — pointers to /policies/information-security, /policies/access-control, /policies/data-management, and the Code of Conduct.
- Phishing recognition and reporting — how to report a suspicious message via security@neuroscale.ai or the Report a Security Issue page.
- Password hygiene and MFA, with explicit reference to the Access Control Policy MFA requirement for every Neuroscale-managed account.
- Device hygiene and the BYOD conditions in the Information Security Policy.
- Clear-screen / clear-desk practices.
- Data classification (Public / Restricted / Confidential) and handling rules.
- Incident reporting — what counts as an incident, how to report, who responds.
- Whistleblower channel — anonymous reporting per the Whistleblower Policy.
- AI-specific acceptable use per the AI Acceptable Use Policy — including the prohibition on pasting Confidential customer data into unapproved AI tools.
| Role | Additional module(s) |
|---|---|
| Engineering | Secure coding (/engineering/secure-coding), secrets handling (/engineering/secrets-management), change management (/engineering/change-management) |
| People-managers, recruiters | Fair-chance hiring + adverse-action handling (/procedures/background-checks) |
| Finance / executives | Wire-fraud and CEO-impersonation patterns; SOX-style segregation of duties |
| Anyone with production access | Production-access training (/policies/access-control §“Production access”), data-handling under /policies/data-management |
| Anyone handling employee or candidate data | Employee privacy (/policies/employee-privacy), AEDT and bias-audit procedures (/procedures/employment-ai-bias-audit) |
Process
- Assignment. CHRO assigns the baseline and role-applicable modules in Vanta on hire (and on role change). Assignments target completion within 30 days for new hires and within 30 days of the anniversary for annual refresh.
- Completion. Employees and applicable contractors complete modules and attest in Vanta. Vanta records the timestamp and the policy acknowledgement.
- Reminders. Vanta surfaces overdue items at 7 days before the due date, on the due date, and weekly thereafter. CHRO escalates any item more than 14 days past due to the employee’s manager.
- Reporting. CISO reviews the training completion dashboard monthly and reports trailing-quarter completion percentage at each ISMS Management Review.
- Phishing simulations. A simulated phishing campaign is run at least twice per year through the platform configured by the CISO (currently the simulation features of the email gateway). Click-rate and reporting-rate are reported at the ISMS Management Review. Repeat clickers are referred to additional targeted training; the CISO maintains the criteria and threshold.
Evidence
The following are retained in Vanta and surfaced into the SharePoint SOC 2 / ISO 27001 evidence library:- Per-employee training-completion records — module, date, attestation hash.
- Training content version in effect at the time of completion.
- Phishing-simulation campaign reports — date, click rate, report rate, repeat-clicker follow-up.
- Annual sign-off by the CISO that the program has been reviewed and is current.
Failure to complete
An employee who has not completed training by their due date — 30 days from assignment (at hire, or on the annual anniversary for the refresh), not 30 days after a separate due date — has their access suspended (excluding onboarding-only access) until completion is recorded. Repeated failure is grounds for disciplinary action per the Information Security Policy → Violations & enforcement.Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | May 15, 2026 | Initial version — implements Human Resources Security Policy → Information security awareness, education & training, SOC 2 CC1.4 / CC2.2, ISO 27001 A.6.3 | Cameron Wolfe | Ishan Jadhwani |