Last updated by: Riley Collis, Last updated on: 16/05/2025
Cybersecurity User Awareness Training Policy
Redback Operations Cybersecurity User Awareness Training Policy
Document Creation: 10 May, 2024. Last Edited: 30 April, 2025 by Riley Collis. Original Authors: Jamison Begley.
Effective Date: 30 April 2025. Expiry Date: 30 April 2026.
Policy Statement
Redback Operations is committed to maintaining the highest standards of cybersecurity. This policy outlines our approach to ensuring all personnel understand their role in safeguarding our systems, data, and infrastructure. We aim to foster a culture of security awareness and compliance through structured, role-appropriate, and regularly updated training.
Purpose
The purpose of this User Awareness Training document is to define the standards that must be followed for the training and upskilling of our employees. The policy outlines mandatory training modules to guarantee compliance with internal policies and recognized cybersecurity frameworks, such as NIST, the Australian Government ISM, and the Essential Eight.
Introduction
What is user awareness training?
User awareness training refers to the guidelines put in place by an organisation to help educate workers about the potential risks of their role and job functions. Though the awareness training typically focuses on data protection, data security and overall compliance with company policies.
What is the purpose of user awareness training?
User awareness training serves a range of crucial functions within an organisation. Aside from educating workers about the potential risks of their job functions, it also provides employees with a range of strategies and procedures that they can follow to mitigate or resolve these risks effectively.
Through the provision of this training, not only is data security improved, but if followed correctly, there may be a significant increase in company performance and morale.
Finally, user awareness training works to minimise potential loss, and consequently, it works to foster a safe and positive working environment.
Why Do We Follow This Training?
We follow our user awareness training as it is put in place to prevent any sort of risks that may present themselves and pose a threat to the company.
Risks of Non-Compliance
If we did not follow our user awareness training protocols, a collective employee gap in knowledge may leave Redback Operations prone to, and susceptible of a range of attacks.
These attacks can target our sensitive data, company systems, assets, trade secrets and critical infrastructure.
In the event of an attack, if employees haven’t conducted our user awareness training, we may suffer a significant data leak and/or data loss due to a lack in knowledge of how to appropriately respond to or prevent such a thing. This data may be revealed to the public, which will hold a significant impact on the company, and its relationship with consumers, as their information may be susceptible to tampering, unauthorized disclosure, or it may be used against them.
Not only this, but the compromise of our company systems, assets, and critical infrastructure may lead to a complete loss of access, to both, our data, and our recovery systems, causing us to lose everything we have.
Scope and Applicability
This policy applies to:
- All full-time and part-time employees.
- New hires.
- Contractors and third-party vendors.
- Specific business units such as IT, HR, Compliance, and Marketing. All individuals within scope must complete the training and any associated assessments within the required time frame.
Roles and Responsibilities
- IT Security Team: Develop and maintain training content, monitor compliance, and lead enforement measures.
- HR Department: Track completion rates and initiate disciplinary actions if needed.
- Compliance Officers: Ensure training aligns with regulations and review adherence.
- All staff: Complete training and apply knowledge in daily operations.
Training Objectives
User awareness training aims to:
- Educate staff on data protection, security risks, and mitigation strategies.
- Improve employee compliance with company polices.
- Enhance cybersecurity hygiene and reduce organizational risk.
- Encourage proactive threat reporting and behaviour.
Training Content Overview
The training program includes but is not limited to:
- Core operations of Redback Operations.
- Data classification and protection protocols.
- Ethics and conduct.
- Social engineering, phising, and credential theft.
- Safe browsing, password hygiene, and malware awareness.
- insider threat identification.
- role-based content: Customised modules for IT, development, marketing, and admin roles.
Note: Training is aligned with the Essential Eight Maturity Model and NIST Cybersecurity Framework.
Training Frequency and Access
- Initial training upon hire.
- Mandatory refresher training annually.
- Additional training after major security incidents or policy updates.
- Training resources and quizzes are accessible via the internal company repository.
Assessment and Certification
- Employees must achieve a 100% score on a follow-up quiz.
- Certification is valid for 12 months.
- Expired or failed certifications must be retaken within 10 business days.
Where Can This Training Be Accessed?
Within the company repositories, a document can be found which describes the minimum amount of acquired knowledge that an employee must have, though it is followed by a quiz that employees must earn a perfect score on to be recognized for the completion of their training.
Monitoring and Enforcement
Compliance is tracked through the HRIS and LMS systems. Failure to complete training or achieve a passing score may result in:
- Restricted access to systems and data.
- Formal warnings or other disciplinary actions.
- Notifications to HR and departmental managers.
Policy Review and Update
This policy will be reviewed:
- Annually.
- After any major cybersecurity incident.
- Upon changes to legislation or best practices. The IT Security Team and Compliance Officers are responsible for reviewing and updating the policy content.