Security Awareness Training Policy – Humanics Global Advisors LLC

Security Awareness Training Policy for HGA

Purpose and Scope

Humanics Global Advisors (HGA) is committed to protecting the confidentiality, integrity, and availability of information entrusted to us by our clients, consultants, and staff. This Security Awareness Training Policy defines requirements to ensure all personnel are educated on security best practices, supporting HGA’s mission of delivering trusted international consulting services with the highest level of integrity and data security. The policy applies to all internal HGA employees as well as all active consultants using the HGA Digital Platform. By mandating regular security awareness training, HGA aims to foster a proactive security culture where every individual understands their role in safeguarding sensitive information and client data. Given that human error is a leading cause of security incidents (with over two-thirds of breaches involving an accidental human mistake like clicking a phishing link[1]), this policy seeks to reduce risk through continuous education and vigilance.

Scope: This policy covers all HGA offices, systems, and the HGA digital platform (“DevTender”), and encompasses both permanent staff and independent consultants engaged via the platform. It aligns with HGA’s security goals and compliance obligations by setting a unified standard for security awareness. All personnel under HGA’s control, whether employees or contractors, must be aware of and adhere to the organization’s security policies[2]. The training requirements herein are designed to meet international best practices (e.g. ISO/IEC 27001 Clause 7.3 on awareness and training) and relevant regulations (such as GDPR’s mandate for employee data protection training[3]). Ultimately, the purpose of this policy is to equip every member of HGA with the knowledge to prevent, detect, and respond to security threats, thereby protecting our clients, our platform, and our global reputation.

Training Frequency and Schedule

Security awareness training at HGA will be conducted on a regular, ongoing basis to ensure knowledge remains current. The required frequency is as follows:

New Hire and Onboarding Training: All new HGA employees and all new consultants joining the HGA platform must complete an initial security awareness training module as part of onboarding. This training should occur within the first 2 weeks of start or platform activation. It introduces HGA’s security policies, acceptable use guidelines, and basic protective practices.
Annual Refresher Training: All employees and consultants must participate in a formal security awareness refresher at least once per year. Annual training is considered a minimum best-practice cadence in the industry[4]. For example, Payment Card Industry standards require personnel to be trained upon hire and at least annually thereafter[5]. HGA adopts this standard to keep security knowledge fresh.
Periodic Updates or Interim Training: In addition to the annual training, HGA may require bi-annual (twice yearly) shorter refresher sessions or quarterly micro-trainings on specific topics to reinforce key practices. Regular brief refreshers (e.g. every 6 months) are recommended to maintain vigilance[4]. These can be in the form of online quizzes, newsletters, or interactive modules focusing on emerging threats.
Training Upon Policy/Threat Changes: If there are significant updates to HGA’s security policies, new regulatory requirements, or emerging threats (for instance, a wave of new phishing scams or a major platform security feature rollout), ad-hoc training will be provided to all relevant personnel. This ensures everyone is up-to-date on how to handle new situations. Training may also be repeated for individuals or groups if audit results or incident trends indicate a need for reinforcement.

All training activities will be scheduled and announced by the HGA IT/Security team in coordination with Human Resources. Attendance is mandatory (see next section), and adequate time during work hours will be allotted for completion. Wherever possible, HGA will leverage interactive and engaging training methods (videos, simulations, quizzes) to improve retention, rather than long lectures, in line with best practices for adult learning and to combat “training fatigue.” The overall schedule (onboarding, annual, periodic updates) may be adjusted by HGA’s Security Committee as needed, but will never fall below an annual frequency.

Note: Records of completion will be reviewed after each cycle to ensure 100% participation (see “Record-Keeping and Audit” below). Individuals who miss a scheduled training (e.g. due to leave) are required to complete a makeup session as soon as possible upon return.

Mandatory Participation for All Personnel

Security awareness training is compulsory for all HGA personnel without exception. This includes:

All Internal Staff: Every HGA employee (full-time, part-time, temporary, or intern) must complete the designated security training. Security is everyone’s responsibility, not just the IT department’s[6]. Even non-technical staff handle information or use systems that can impact security, so they are equally required to be trained.
All Consultants on the HGA Platform: Consultants using the Humanics Global Advisors Digital Platform are required to complete HGA’s security awareness training as a condition of their engagement. This requirement is integrated into HGA’s consultant onboarding and contract process. By signing the HGA Consultant Representation & Services Agreement, consultants agree to comply with HGA’s policies and standards for data protection and confidentiality[7]. The training ensures that consultants understand these obligations. In many cases, consultants handle sensitive client data and must follow the same security practices as staff. HGA’s policy treats consultants as an extension of our workforce for security purposes, consistent with ISO 27001 guidance that anyone working under the organization’s control (including contractors) be made aware of security responsibilities[2].
Management and Leadership: Executives and managers are not exempt – leadership must also attend security training. In fact, leadership support is critical to set the tone for a security-conscious culture. Managers have additional responsibility to reinforce training points within their teams, but they must first lead by example by completing all trainings themselves.
Third-Party Users: In rare cases where third parties (e.g. subcontractors, partners, or vendors) have access to HGA’s digital platform or data, HGA may require them to undergo a tailored version of our security training or show proof of equivalent training at their own organization. This will be determined on a case-by-case basis by the IT Security team in line with contract requirements. For instance, Massachusetts law explicitly mandates that even temporary and contract workers receive security training as part of an organization’s program[8], and HGA upholds that inclusive approach.

Attendance in scheduled security awareness training is mandatory. Lack of participation or failure to complete required training by the stipulated deadlines will result in follow-up actions (see “Enforcement and Consequences”). There is no opt-out based on role or seniority – threats target all levels of personnel, so all must be prepared.

Training Content and Key Topics

HGA’s Security Awareness Training covers a comprehensive set of topics relevant to our threat landscape, business activities, and compliance obligations. The training content is regularly updated to address both foundational best practices and evolving risks, including platform-specific threats identified in the HGA digital environment[9]. The core training topics include:

Phishing and Social Engineering Awareness: Recognizing and avoiding phishing emails, spear-phishing, SMS phishing (“smishing”), voice phishing (“vishing”), and other social engineering attacks. Trainees learn how to spot suspicious messages or links, verify sender identities, and handle unexpected requests for sensitive information. They are taught to be vigilant and not to click on unsolicited links or provide credentials without verification[9]. This module includes examples of phishing scams and the psychological tactics attackers use (urgency, impersonation, etc.), as well as HGA’s procedures for reporting suspected phishing attempts (see incident reporting below).
Secure Password Practices (and Authentication): Guidance on creating strong, unique passwords and using password managers. Emphasis is on passphrases or complex passwords that are not easily guessable, changed regularly, and never reused across accounts. HGA’s policy of mandating Multi-Factor Authentication (MFA) for all user logins is explained, including how to use MFA tokens/apps properly[10][11]. Trainees are warned against common pitfalls like writing down passwords, sharing credentials, or falling for password reset scams. The importance of protecting one’s account credentials on the HGA platform (which uses role-based access controls) is underscored.
Proper Data Handling and Storage: Best practices for handling sensitive data in compliance with HGA’s data classification and protection standards. This includes data classification levels (public, internal, confidential, highly sensitive) and how each type must be stored, transmitted, and destroyed. Topics cover encryption requirements (e.g. use of approved encrypted storage or secure cloud for client data), safe sharing of files (using HGA’s secure platform features rather than email for sensitive files), and data minimization (only storing what is necessary). Participants are trained on secure file storage solutions provided by HGA (such as SharePoint or encrypted S3 buckets) and instructed never to store work data on unapproved personal devices or cloud accounts. The training also covers secure disposal of information: for example, shredding physical documents and permanently deleting or wiping electronic files when no longer needed. Special attention is given to safeguarding client confidential information and personal data encountered in consulting projects, as required by HGA’s Confidentiality policies in the consultant contract[12][13].
Device Security and Remote Work Protocols: Guidance on keeping laptops, smartphones, and other devices secure, especially when working remotely or traveling. This includes endpoint security practices such as installing HGA-approved antivirus/anti-malware software and keeping it up-to-date, enabling firewalls, and applying security patches regularly (with IT support). Employees and consultants are reminded to never disable security controls on HGA-provided devices. The training covers physical security of devices: e.g. not leaving laptops unattended in public places, locking screens when away, and securing devices in transit (using privacy screens, cable locks, etc.). For remote work, the policy mandates using secure, encrypted connections (HGA’s VPN or secure web portal) when accessing the platform over public Wi-Fi, and avoiding public computers for HGA work. Guidance is given on preventing data leakage via lost or stolen devices (e.g. using device encryption and knowing how to report a lost device immediately so IT can remote-wipe it). This section also ties in the Remote Working control (ISO 27001 A.6.7) to ensure remote workers follow equivalent security standards as in-office[14].
Privacy and Data Protection Laws: Training on key privacy regulations such as the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), among others, to ensure everyone understands legal obligations regarding personal data. HGA handles personal data of consultants and clients across borders, so compliance is critical. The training explains core principles of GDPR (lawful bases for processing, data subject rights, data breach notification requirements, etc.) and how they translate into daily practices. For example, employees and consultants learn the importance of consent and confidentiality when handling personal data and are instructed to follow HGA’s data privacy procedures in all projects[15]. They are reminded that both HGA and consultants are expected to adhere to global best practices for data privacy, even in jurisdictions where such laws may not yet apply[15]. Real scenarios are used (e.g. handling a client’s contact list or CVs of experts) to illustrate compliant vs. non-compliant behavior. The training also covers consequences of violating privacy laws – both for the individual (potential disciplinary action) and the company (legal penalties, reputational damage). Notably, GDPR training is not optional – GDPR explicitly requires organizations to train employees on personal data handling under the law[3]. By including GDPR/CCPA topics, HGA ensures all personnel know how to protect personal data and honor privacy rights as promised in our contracts and policies.
Platform-Specific Threats (Humanics Digital Platform): Security awareness tailored to the HGA Digital Platform (DevTender) usage. Users learn about threats and secure practices specific to our platform’s functionality. For instance, consultants are trained to beware of any unsolicited platform messages that could be fraudulent (like someone posing as an HGA admin or client on the platform to elicit information). They are reminded that legitimate HGA communications will come through official channels and to report any suspicious platform activity. This topic also covers proper use of platform features: e.g. uploading documents only to designated secure areas, not bypassing platform workflows in insecure ways (like emailing documents that should go through the platform), and understanding that the platform has built-in security (encryption, MFA, audit logs[16][10]) that users should not attempt to circumvent. Threats such as account sharing or using weak passwords on the platform are discussed – users are warned that sharing their platform credentials with others (even colleagues) is prohibited and creates security risks. Any AI tools or integrations in the platform (like an AI assistant for consultancy matching) are also covered from a security perspective, ensuring users know how to use them without exposing sensitive data. Essentially, this section reinforces that while the platform implements robust security measures, user vigilance and correct usage are vital to maintain overall security[9].
Incident Reporting Procedures: Detailed instruction on how to promptly report security incidents, suspected breaches, or any unusual activity. All employees and consultants are trained in HGA’s incident response communication plan. This includes knowing what types of events to report (examples: a lost laptop, a malware infection, receiving a phishing email, discovering that one sent sensitive data to the wrong recipient, any sign of unauthorized access to systems or data, etc.). It also covers how and where to report: HGA provides a dedicated incident report email address and an internal portal form for reporting security issues. The training emphasizes that time is of the essence – incidents should be reported immediately, without fear of blame. Staff are taught that early reporting helps HGA contain problems (whether it’s a virus outbreak or a potential data leak) and that they will not be punished for honest mistakes if reported in good faith (a blameless reporting culture). This aligns with ISO 27001 control 6.8, which requires organizations to have a mechanism for personnel to report security events timely[17]. The policy also reiterates the consultant contract clause that both HGA and the consultant must notify each other of any breach or security incident involving personal data[18] – our training ensures everyone knows this responsibility. Specifically, consultants are instructed that if they suspect a client’s data has been compromised or any compliance issue on a project, they must alert HGA’s security team right away. The training provides contact information (security officer’s email, hotline number, etc.) and walks through a simple, non-technical reporting template. It also outlines what happens after a report: the basic steps of HGA’s incident response (analysis, containment, notification to affected parties or authorities if required by law, etc.), so reporters understand the process. The goal is to make incident reporting second nature and remove any hesitation in bringing issues to light.
Other Key Topics: Additional areas covered include malware protection (how to avoid malware through safe web browsing and email hygiene, and the role of anti-malware tools), physical security (tailgating, office access control, ID badges), safe use of removable media (prefer encrypted USB drives, scan for viruses, or avoid altogether), secure development practices (for IT staff or developers, touching on writing secure code if relevant), and social media/data sharing risks (caution when posting work-related information online). If HGA has any specific policies like an Acceptable Use Policy or Clean Desk Policy, the training incorporates those rules as well.

This list is not exhaustive, but represents the critical domains that the security awareness program will routinely address. HGA will adjust the emphasis on topics based on current threat intelligence and any incidents we encounter. For example, if phishing attempts targeting HGA accounts increase, we may intensify phishing education or run simulated phishing exercises as part of training to gauge and improve readiness. Likewise, if new privacy regulations in a region where we operate come into effect, we will update the privacy law section accordingly.

Phishing Awareness: A particularly high priority is phishing prevention, as illustrated by this example of a fake login being “phished.” Training highlights that seemingly legitimate emails or links can be malicious attempts to steal credentials. In fact, more than two-thirds of data breaches involve an unwitting human action (like clicking a phishing link)[1]. Through the program, HGA staff and consultants learn to be suspicious of unexpected requests, to verify sender authenticity, and to “think before they click.” They are shown real phishing examples (and their tell-tale signs such as misspelled URLs or urgent language) to practice identifying red flags. By reinforcing these skills, HGA’s training aims to dramatically lower the risk of a phishing-induced security incident on our platform or network. Everyone is encouraged to report phishing attempts immediately so IT can alert others and bolster defenses.To summarize, the chain of responsibility runs from the top leadership to every individual user. HR and IT/Security administer and support the program, managers reinforce it, and every staff member or consultant carries it out in practice. Collaboration between these roles ensures the success of the security awareness initiative.

Roles & Responsibilities

Security awareness is a collective responsibility at HGA. This section outlines the roles and responsibilities of various stakeholders in implementing and adhering to the Security Awareness Training Policy:

Human Resources (HR): The HR department plays a coordinating role for security training. HR is responsible for onboarding new hires and ensuring they complete initial security training upon joining. HR will communicate training requirements to new employees and include security policy acknowledgments in the new hire paperwork (or consultant onboarding process). HR also maintains a calendar of required annual or periodic training and sends out official notifications and reminders to staff and consultants about upcoming training sessions. In addition, HR will track completion of training for each employee and consultant in the HR information system or training portal. If an individual is non-compliant (misses training), HR will, in the first instance, send follow-up reminders and escalate to that person’s manager as needed. HR also supports the enforcement of this policy by working with management on any disciplinary processes for non-compliance. Finally, HR incorporates this policy into the employee handbook and ensures that the training policy is referenced in consultant contracts or welcome materials, so all personnel know from the start that these obligations exist.
IT and Security Department: HGA’s IT/Security team is the primary owner of the Security Awareness Training Program. Their responsibilities include developing and updating the training content, scheduling training sessions or deploying e-learning modules, and running any interactive training exercises (like phishing simulations). The security team will tailor the content to address relevant threats and compliance updates (e.g. if a new social engineering scam is targeting our industry, they will add a module about it). They are responsible for ensuring the training reflects HGA’s actual security policies and procedures so that what people learn is actionable in their daily work. The Security team also provides support during training – for example, answering questions that attendees might have or clarifying how certain policies apply. After training, IT/Security is tasked with monitoring and measuring effectiveness: they might review scores from quizzes, track incident reports to see if training reduced them, and identify areas of confusion to improve the next round of training. They also maintain the official records of training completion (often in partnership with HR for record-keeping). The IT/Security department will conduct periodic phishing email tests or other practical evaluations to keep employees alert, and then follow up with additional guidance. Importantly, the security team sets the technical requirements that underpin some training topics (for instance, they enforce password policies and MFA in systems[19], configure access controls, etc., which the users are trained on). They also serve as the point of contact for any reported security incidents – when a user reports something suspicious, the Security team investigates and responds per HGA’s incident response plan. In summary, IT/Security are the content experts and program drivers for this policy.
Department Managers and Team Leaders: Managers at all levels have a responsibility to encourage and monitor their team’s participation in security training. Management should lead by example by promptly completing their own training and emphasizing to their teams that security is a priority (this helps build a “tone from the top” that security and ethical behavior are core values). Managers will receive reports (from HR or IT) on who in their team has or hasn’t completed training and must follow up with any laggards to ensure compliance. In staff meetings, managers should periodically discuss security tips or lessons learned from training, thereby integrating security awareness into regular workflow discussions. If a team member struggles to understand certain security procedures, the manager should facilitate additional guidance (possibly with help from IT/Security). Managers are also empowered to enforce this policy within their teams – if someone is willfully ignoring security practices (e.g. repeatedly clicking on suspicious links or not following data handling rules), the manager should address it as a performance issue with support from HR. Essentially, managers act as champions of security awareness, reinforcing training messages and making sure their teams apply what was learned.
Employees and Consultants (All Users): Each individual user – whether an HGA employee or an external consultant – has the responsibility to actively participate in security awareness efforts and to apply the training in day-to-day work. This means every user must: attend or complete all required training modules by the given deadlines; pay attention during training and seek clarification on any topics they do not understand; and ultimately, follow the security best practices taught. Users are expected to integrate the learned behaviors into their workflow – for example, actually using strong passwords and MFA, being cautious with emails, and adhering to data classification rules when handling information. Compliance is not just about attending training, but about behavior: HGA expects all personnel to demonstrate security-conscious behavior consistently. Additionally, each user is responsible for reporting any security incidents or suspicious events as per the training. If an employee or consultant is unsure about a security policy or how to proceed securely in a particular situation, it is their responsibility to reach out to the IT/Security team for guidance rather than proceeding in an unsafe manner. In short, every individual is accountable for doing their part – the training gives them the knowledge, but it is each person’s duty to exercise that knowledge. HGA’s philosophy, in line with ISO 27001, is that “everyone is responsible for information security”[6].
Executive Leadership and Security Committee: HGA’s executive team and any designated Security or Compliance Committee have oversight responsibilities for this policy. Leadership must allocate appropriate resources (budget, tools, and time) for the training program to be effective. They also review periodic reports on training completion rates and security incidents to gauge the program’s impact. Executives should champion the importance of security awareness in company communications and ensure it remains a standing agenda item in relevant meetings (e.g. risk review meetings). If needed, leadership will update this policy to address new challenges or incorporate stricter measures. Executive support is critical to resolve any conflicts (for instance, if workloads are high, leadership still insists that training is non-negotiable) and to demonstrate that compliance with security training is as important as any client deliverable. Leadership also ensures that security awareness training is integrated with HGA’s broader risk management and compliance strategies – for example, aligning it with ISO 27001 certification efforts or client contractual requirements.
HGA Platform Development Team: (If applicable) Since HGA has a digital platform (DevTender), the development or product team has a role in reinforcing security awareness through the platform’s design. While not directly responsible for training content, they should implement technical features that complement user training – e.g. user interface prompts about security (like reminding users to enable MFA or showing warnings when uploading files of certain types). They may also work with Security to embed just-in-time training in the platform (for instance, a tip that appears if a user tries to do a certain risky action). The platform team should be receptive to feedback from users who report security concerns or suggest improvements learned through training, thereby creating a loop between user education and platform security enhancements.

Enforcement and Consequences of Non-Compliance

Adherence to this Security Awareness Training Policy is mandatory, and HGA will enforce compliance through established disciplinary and corrective measures. The goal of enforcement is to ensure 100% participation in training and proper security behavior, not to punish unnecessarily – however, persistent non-compliance or negligence that puts HGA at risk will result in consequences.

Monitoring Compliance: The completion of required trainings will be monitored and documented by HR/IT. Failure to complete a scheduled training by the deadline triggers an escalating response. Initially, a reminder is sent to the individual and their manager. If the training remains incomplete after a grace period, it is logged as a policy violation. HR will issue a written warning noting that the individual is out of compliance with mandatory security policy. Managers will be involved in counseling the employee or consultant on the importance of immediate completion. HGA’s security is a serious matter, so ignoring training is not an option.

Disciplinary Action for Employees: If an HGA employee repeatedly fails to complete required training or is found to habitually disregard the security practices taught (for example, continually falling for phishing tests due to carelessness), progressive disciplinary action will be taken in line with the Employee Handbook and HR policies. This may include documented warnings, mandatory one-on-one security coaching, and could escalate to suspension or termination of employment in severe cases. Neglecting security training is viewed as a performance issue because it endangers the organization. For instance, should an employee’s non-compliance lead directly to a security breach, that would be grounds for serious disciplinary measures up to and including termination for cause. HGA must demonstrate to clients and auditors that its staff are trustworthy and well-trained; thus, we cannot retain employees who refuse to uphold these standards.

Consequences for Consultants: Active consultants on the HGA platform are contractually expected to follow HGA’s policies, including completion of security training. Non-compliance by a consultant will first result in suspension of their platform access until training is completed. HGA may choose not to assign new projects to a consultant who has ignored training requirements. Continued failure or any security negligence (like a consultant causing a breach through ignorance of policy) can lead to termination of their consulting contract for breach. The Consultant Agreement provides that HGA can remove a consultant from a project or end an engagement if required for compliance or security reasons[20]. For example, if a client or HGA identifies a “security concern” with a consultant’s behavior (perhaps the consultant mishandled confidential data or didn’t follow required protocols), HGA has the right to remove that consultant from the project immediately[20]. Such drastic action would be a last resort, but it underscores that consultants are held to the same high standard as employees when it comes to security. The policy will be referenced in contractual terms so consultants are formally on notice.

Regulatory and Client Requirements: In some cases, enforcement is not just internal – external regulations demand it. Many laws and standards (HIPAA, PCI DSS, etc.) require organizations to provide security training and could penalize the company if it fails to do so[5][21]. Thus, HGA’s enforcement of training compliance also protects the company from legal or contractual penalties. Auditors or clients may ask for evidence that all personnel were trained; if someone is untrained, it could jeopardize contracts or certifications. Therefore, from an enforcement perspective, HGA cannot tolerate gaps. Regulators view lack of training as “low-hanging fruit” for issuing penalties[21] – it’s an easy way for an auditor to flag non-compliance. HGA is determined to avoid such findings by demonstrating full adherence to this policy.

Positive Enforcement: While consequences exist for non-compliance, HGA also believes in positive reinforcement to encourage a strong security culture. Departments or teams with exemplary training completion rates or good security practices may be recognized in internal communications. HGA will strive to make the training engaging so that enforcement is rarely needed – ideally, employees and consultants understand the value and willingly comply. In addition, if someone proactively reports a security incident or near-miss (demonstrating the effectiveness of their training), HGA will treat that responsibly and appreciatively, not punitively. “No blame” reporting is enforced – meaning if an employee reports their own honest mistake promptly (like clicking on a phishing email by accident), HGA will focus on fixing the issue, not punishing the reporter. This approach encourages openness and continuous learning from incidents.

In summary, failure to comply with the Security Awareness Training Policy will be addressed through progressive discipline or contractual remedies. Our stance is firm because the stakes are high: one untrained or careless individual can open the door to a serious breach. By enforcing this policy, HGA also meets its obligations under various security frameworks and client contracts to ensure all personnel are knowledgeable about security[22][15]. The ultimate “consequence” we want to avoid is a data breach; strict enforcement of training is therefore a preventative measure to protect everyone.

Record-Keeping and Audit

Accurate record-keeping of security training activities is essential for tracking compliance and demonstrating HGA’s diligence to auditors, clients, and regulators. The following outlines our approach to documentation and audit related to the training program:

Training Completion Records: HGA will maintain a centralized log of all security awareness training sessions and modules, including the date of training, list of participants, and completion status. For instructor-led sessions (either in-person or virtual live training), attendance will be taken and recorded. For online training modules, the learning management system (LMS) will automatically record completions, quiz scores, and timestamps. These records will be stored securely, in accordance with data retention policies, for a minimum of five years (or longer if required by specific regulations or contract terms). Each employee and consultant will thereby have an individual training history on file.
Certificates or Acknowledgements: Where applicable, participants may receive a certificate or acknowledgement of completion. Employees typically must sign (physically or electronically) an acknowledgement that they have completed the training and understand HGA’s security policies. Consultants using the platform may likewise be required to acknowledge the training requirements and completion as part of their contract compliance. Copies of these signed acknowledgements or certificates will be kept in the personnel or consultant file. This provides an auditable trail that each person has agreed to follow the security guidelines.
Audit and Review of Training Program: On a periodic basis (at least annually), the security training program and records will be reviewed as part of HGA’s internal audit and compliance checks. HGA’s internal auditors or IT compliance officers will verify that:
The training content is up to date and covers required topics.
All current employees and consultants have completed the training within the required timeframe.
Any exceptions (such as new hires who are still within the initial grace period) are noted and being managed.
Records are properly maintained and accessible for review.
Findings from these audits will be used to improve the program. For example, if an audit finds a gap in training (say, a few consultants missed the annual refresher), the responsible departments will take corrective action promptly and document it.
Client and Third-Party Audits: Many HGA clients (especially in government and international development sectors) have compliance requirements that may include verification of our security practices. HGA will be ready to provide evidence of training compliance during client audits or due diligence processes. This could involve furnishing anonymized training completion statistics or demonstrating our training materials. Additionally, if HGA pursues certifications like ISO/IEC 27001, the certification auditors will review our security awareness training records as part of verifying control 6.3 on awareness, education, and training[23]. We will ensure our record-keeping meets such standards. All audit requests for training records will be handled in a manner consistent with privacy (i.e., we might show that “100% of staff were trained as of X date” without exposing personal data, unless required).
Tracking Effectiveness: Beyond raw attendance, HGA will keep records of training evaluation metrics (quiz scores, phishing test results, etc.) to gauge how well the material is understood. While individual quiz scores may not be reported beyond the security team and the individual, aggregated results can inform where more training is needed. For instance, if 20% of employees miss a question about data classification, that topic may be revisited in follow-up communications. These records of effectiveness help demonstrate to auditors and management that HGA doesn’t just do training as a checkbox, but is actively monitoring and improving it – a point that is looked upon favorably in compliance reviews[24][25] (which note that inadequate training leads to more breaches).
Retention and Protection of Records: Training records will be treated as confidential internal documents. Digital records in the LMS or HR system will be access-controlled (only HR, IT security, and relevant auditors or managers can view them). We also ensure these records are backed up as part of HGA’s data backup strategy, so that evidence of compliance is not lost. Any personal data in training records (like names associated with training dates) is handled per privacy laws – e.g., if a consultant in the EU wanted to exercise a GDPR data access request, we could disclose their personal training record to them. Generally, we keep training records for the duration of employment/engagement plus some years after, in line with legal requirements, to show historical compliance.

In summary, through diligent record-keeping HGA can prove that this Security Awareness Training Policy is implemented in practice. It provides transparency and accountability. These records give stakeholders confidence that HGA continuously educates its people (e.g., our platform’s security section explicitly notes that users receive regular security training[9] – our records back that claim). Should any compliance disputes arise, our logs and certificates will serve as evidence that HGA took reasonable steps to prevent incidents by training our workforce. This meticulous approach to documentation reflects the same rigor that HGA applies in all areas of security and quality management.

Integration with HGA Consultant Contract and Platform Security Specifications

This Security Awareness Training Policy is designed to integrate seamlessly with HGA’s existing contractual commitments to consultants and the technical security framework of the HGA digital platform. In other words, it doesn’t stand alone – it reinforces and operationalizes security requirements that are already expected in other documents and systems.

Integration with Consultant Contracts: Every consultant engaged through HGA signs the Representation & Services Agreement which includes clauses on data protection, confidentiality, and compliance with laws and ethical standards. Notably, the contract specifies that HGA and the consultant will handle personal data in compliance with GDPR, CCPA, and other data protection laws[15]. It also obliges consultants to promptly report any data breaches or security incidents[18]. This Security Awareness Training Policy supports those contract clauses by educating consultants on exactly how to comply. For instance, the training covers GDPR/CCPA principles (so consultants know their duties under those laws) and incident reporting procedures (so they can fulfill the requirement to notify HGA of issues). By making the training mandatory for consultants, HGA ensures that when they agree in the contract to “adhere to HGA’s confidentiality and compliance obligations”[7], they are given the knowledge and tools to do so. In effect, this policy and the training program are an extension of the contract – they are how HGA enforces the expectations set in the contract on a practical level.

Additionally, many client contracts (especially with government or international agencies) may require that all project personnel undergo certain trainings (for example, a USAID contract might require training on ethical conduct, or a cybersecurity clause might require contractor staff to have security awareness training). HGA’s program is designed to meet such flow-down requirements. The consultant contract even anticipates this in Section 3.5, noting that a consultant must cooperate with any mandatory trainings on ethics or compliance required by a client[26]. Our security training can be referenced as part of meeting those requirements. If a particular project or client needs proof that a consultant has been trained in data security, HGA can provide certification from our training records (as discussed above). In summary, the policy ensures that consultants are contractually bound and trained to the same standards as HGA employees, creating a unified security posture. Non-compliance with this policy by a consultant could constitute a breach of contract (failure to follow HGA policies or creating a security risk), giving HGA the right to take action as described in the contract and enforcement section of this policy.

Integration with Platform Security Specifications: The HGA Digital Platform (DevTender) has a robust security architecture, as detailed in its technical specifications. Section 6.6 of the DevTender Security & Compliance chapter is specifically about User Education and Awareness, stating that the platform will implement “regular security awareness training for all users, focusing on best practices for data protection and threat awareness,” including training on phishing recognition and incident reporting[9]. This Security Awareness Training Policy is the fulfillment of that design specification. By executing this policy, we are implementing the planned security measure that the platform’s designers envisioned – namely, educating users as a key layer of defense.

Moreover, the platform has features like Multi-Factor Authentication, encryption, role-based access control, audit logging, and regular password policy enforcement[10][19]. Our training teaches users how to effectively use these features: e.g., how to set up MFA, why they should never attempt to disable it, how to choose a strong password that meets the platform’s requirements, and how to interpret any security warnings from the system. The synergy here is that technology and training go hand-in-hand. The platform’s security is only fully effective if users understand and cooperate with it. For instance, the platform might prompt users to change a weak password; the training ensures users take that seriously rather than seeing it as a nuisance. The platform might have an incident response mechanism; the training ensures users know how to trigger it by reporting issues. Thus, this policy essentially bridges the human factor with the technical controls described in the HGA platform specs.

Another example of integration is in compliance: The platform spec commits to GDPR and PCI DSS compliance (with features for data export, deletion on request, secure payments, etc.)[27][28]. The training ensures users (staff/consultants) do their part in maintaining compliance – e.g., by handling EU personal data appropriately on the platform so that those features are used correctly. In other words, the policy turns the platform’s compliance features into living practices by educating users about them.

Finally, HGA’s consultant platform is powered by trust – clients trust that the consultants they engage via HGA are vetted and reliable, and consultants trust the platform to securely handle their data (profiles, work submissions, payments). By integrating security awareness into the platform experience (through mandatory training and perhaps in-app reminders), HGA strengthens that trust. When consultants log in, they know HGA expects them to be security-minded. When clients use the platform, they benefit from knowing HGA’s people are trained in security (we can even mention in marketing or proposals that HGA has a rigorous security training program, aligning with ISO 27001 and other standards, to assure clients that their information will be safe with us).

Policy Governance and References: This Security Awareness Training Policy should be read in conjunction with related HGA policies and documents, including the HGA Information Security Policy, Acceptable Use Policy, Data Protection Policy, and the Consultant Contract terms. It complements those documents by providing the educational component. In case of any conflict between this policy and other internal policies, the more stringent requirement will apply (in general, they should be aligned). This policy is approved by HGA’s management and forms part of HGA’s overall Information Security Management System (ISMS). It draws on best practices from internationally recognized frameworks such as: – ISO/IEC 27001 and 27002: for example, control 6.3 of ISO 27002:2022 recommends establishing a security awareness program with regular updates[23], which this policy implements. – NIST SP 800-53: which similarly calls for security awareness and training for all users and outlines what content to include (roles, responsibilities, how to respond to incidents, etc.)[29]. – PCI DSS (v4.0, requirement 12.6): which requires a formal security awareness program for all personnel (we meet this by annual training and tracking compliance)[5]. – GDPR: which as noted requires organizations to train staff on data protection obligations[3] – this policy ensures we meet that requirement as part of HGA’s accountability measures.

By adhering to this policy, HGA not only fulfills its own security objectives but also tangibly demonstrates compliance with the above standards and legal requirements. It shows that HGA is proactive in mitigating the human element of security risk through continual awareness—a point often looked for in audits and client evaluations.

Conclusion: This Security Awareness Training Policy is a cornerstone of HGA’s security strategy, tying together contractual commitments, technical safeguards, and human behavior. All HGA staff and consultants are expected to embrace it in the spirit of collective responsibility: protecting our clients’ data and our platform is part of delivering excellence in our consulting services. Through regular training, clear responsibilities, and firm enforcement, HGA will maintain an environment where security awareness is second nature and potential threats are recognized and neutralized early. This not only safeguards our operations but also contributes to a culture of trust and professionalism that sets HGA apart in the international consulting arena.

Sources:

Humanics Platform Technical Specifications – Security & Compliance: User Education and Awareness[9][10]
HGA Consultant Contract (Representation & Services Agreement) – Data Protection and Compliance Clauses[15][18]
ISO/IEC 27001 & 27002 Standards – Security awareness requirements and controls[23][4]
TeachPrivacy – Security Awareness Training Requirements (Prof. Solove’s analysis of laws/standards)[5][21]
IT Governance Blog – ISO 27001: People are vital to security (importance of training)[1][6]
Mimecast – GDPR Training Importance (GDPR mandates staff training on data handling)[3]
Massachusetts 201 CMR 17.00 – Data Security Regulations (training for all employees, including contractors)[8].