Security Awareness Training Policy

Wealthy’s commitment to ongoing security awareness training β€” onboarding, annual refresher, phishing drills, role-specific modules.

Security Awareness Training Policy

Field Value
Document ID POL-025
Classification Internal
Owner CTO (interim CISO)
Effective Date April 2026
Review Cycle Annual

1. Purpose

People are the first and most frequently exploited layer of any security programme. This Policy commits Wealthy to an ongoing, mandatory security awareness training programme so every employee, contractor, and long-term vendor can recognise, resist, and report common threats β€” phishing, social engineering, credential misuse, data mishandling, and insider risk.

2. Scope

Applies to:

  • Every full-time and part-time employee
  • Contractors and interns with access to Wealthy systems, data, or infrastructure
  • Long-term vendor staff with operational access (assessed per the Vendor Security Assessment Standard (STD-015))

3. Principles

  1. Mandatory on day one. Security awareness training is part of onboarding and must be completed before production access is granted.
  2. Annual refresher. Every person in scope completes a full refresher within 12 months of the last completion.
  3. Role-specific modules. Engineers get secure-SDLC training; finance and support get fraud-scenario training; privileged-access holders get an additional privileged-access module.
  4. Continuous reinforcement. Half-yearly phishing simulations plus ad-hoc campaigns (e.g. after a real phishing incident or when a new attack theme is trending), periodic tabletop exercises, and security-bulletin-style comms from security@wealthy.in.
  5. Measurable. Completion and phishing performance are tracked; gaps are followed up until closed.
  6. Regulation-aligned. The programme is designed to satisfy IRDAI Cyber Security Guidelines 2024, SEBI CSCRF, DPDP Act, and CERT-In expectations on human-layer controls.

4. Mandatory Programme

Structured as one annual Security Training Programme (calendar event T1) with a common track for everyone plus role-specific tracks for those who need them, delivered in a single session. Supplemented by half-yearly phishing simulations (T2). Ad-hoc sessions can be raised by CTO / Compliance at any time (post-incident retraining, new regulation rollout, major control change).

Element Audience Cadence
Security Induction All new joiners Before production access
T1 β€” Security Training Programme (common track) β€” phishing, passwords, DPDP, incident reporting, device hardening All in scope Annual + ad-hoc
T1 β€” Role track: Engineering / DevOps β€” secure coding, secrets hygiene, supply-chain scanning Engineering Annual + ad-hoc
T1 β€” Role track: Finance / Support / Operations β€” fraud scenarios, partner impersonation Finance, Support, Operations Annual + ad-hoc
T1 β€” Role track: SRE / Security β€” IR runbook, threat hunting, DR drill walkthrough SRE, Security Annual + ad-hoc
T1 β€” Role track: Privileged-access holders β€” PAM hygiene, just-in-time elevation (per PAM Policy (POL-018)) PAM holders On elevation + annual + ad-hoc
T2 β€” Phishing Simulation All in scope Half-yearly + ad-hoc

5. Reading Security Communications

Reading email from security@wealthy.in is mandatory for everyone in scope. Security bulletins, incident summaries, phishing-campaign reports, policy changes, and advisories are considered part of the awareness programme and failure to act on a clearly-worded operational instruction from security@wealthy.in is treated as a policy breach.

6. Metrics & Targets

Reported quarterly to ISRMC and annually to the Board:

Metric Target
Onboarding training completion within 7 days of joining 100%
Annual refresher completion within grace window β‰₯ 95%
Phishing-simulation click rate < 5% (12-month rolling)
Repeat-offender rate (clicked β‰₯ 2 in 12 months) < 1%
Privileged-access module completion 100%

Persistent non-completion triggers account-access suspension until remediated. If click rate or repeat-offender rate breaches target, the phishing-simulation cadence is raised from half-yearly until the target is restored.

Scheduled events (T1 annual programme, T2 half-yearly phishing) and their evidence flow are tracked in the Security Governance Calendar; ad-hoc training or drills can be raised by the CTO / Compliance at any time and are logged with the same training / phishing-sim GitHub Issue labels as the recurring ones. The concrete delivery stack (Google Classroom + Meet + Forms + Sheets + Gophish on a DevOps-run Mac) is described in the Security Training Operations SOP (SOP-011).

7. Regulatory Alignment

  • IRDAI Cyber Security Guidelines 2024 β€” Intermediary cyber-awareness and training obligations.
  • SEBI CSCRF β€” Awareness programme under “Governance” and “Identify/Protect” functions.
  • DPDP Act 2023 β€” Data Processor staff privacy training.
  • CERT-In Directions 2022 β€” Incident-reporting awareness at the human layer.

8. Roles & Responsibilities

Role Responsibility
CTO (interim CISO) Programme ownership, annual sign-off, Board reporting
HR Enforce onboarding completion as a gating step, track exits
People Team / L&D Module delivery, LMS ownership, evidence retention
Compliance Regulatory alignment, audit-evidence preparation
Engineering Managers Team-level completion, role-specific module enforcement
Every employee / contractor Complete training on time, read security comms, report incidents

9. Governance

  • Completion dashboard maintained by the People Team; shared monthly with CTO.
  • Phishing-simulation results and repeat-offender list reviewed at quarterly ISRMC.
  • Training content is refreshed at least annually β€” new modules added when threat landscape or regulation changes (e.g. new DPDP Rule, new CERT-In direction).
  • Evidence (completion records, phishing-campaign logs, drill reports) retained for the regulatory retention period.

10. Exceptions

Exceptions (e.g. long-term leave, role change requiring alternate training) follow the Exception Management Policy (POL-013). No exception is valid without documented compensating controls (usually temporary access restriction).

Reviewed annually. Last revision: April 2026. Contact: security@wealthy.in.