Security Training Operations SOP

Operational runbook for delivering the Security Training Programme (T1), phishing simulations (T2), and new-joiner onboarding β€” using the in-house Google Workspace + Gophish stack.

Security Training Operations SOP

Field Value
Document ID SOP-011
Classification Internal
Owner CISO + HR
Effective Date April 2026
Review Cycle Semi-Annual

1. Purpose

Operationalises the Security Awareness Training Policy (POL-025) using a free, in-house stack (Google Workspace + Gophish + curated open content). Describes concretely how T1 (annual programme), T2 (phishing simulations), and new-joiner onboarding are delivered, tracked, and filed as audit evidence.

2. Tooling Stack

Layer Tool Why Cost
Content source OWASP Top 10, CERT-In Awareness Portal, MeitY InfoSec Awareness, SANS OUCH! newsletter Free, India-authoritative where relevant β‚Ή0
Live delivery Google Meet Already on Workspace β‚Ή0
Course & enrolment Google Classroom Auto-enrolment, quiz gating, visibility β‚Ή0
Quiz & acknowledgment Google Forms (one per track) Required to pass = acknowledgment evidence β‚Ή0
Completion dashboard Google Sheets (auto-populated from Forms) Single source of attendance + pass status β‚Ή0
Deck + evidence storage Google Drive /Security/Training/<YYYY>/ Retained per regulatory retention β‚Ή0
Phishing simulation Gophish (open-source, ephemeral β€” brought up only for the campaign window) Covers all phishing-sim needs; industry-acceptable. Runs ~14 days/year, torn down in between. β‚Ή0
Persistent Gophish state Private repo wealthy/security-training-evidence + Training Drive folder SQLite DB, templates, recipient CSVs, and campaign exports survive between runs β‚Ή0
Supplementary Google Workspace Phishing Campaign (admin) Backup / small-scope campaigns β‚Ή0

Paid LMS (KnowBe4 / Hoxhunt / SafeTitan / Infosec IQ) remains the future option if the admin burden of this stack outweighs the licence cost β€” decision reviewed at year-2 ISRMC.

3. Drive Folder Layout

/Security/Training/
  /<YYYY>/
    /T1-annual/
      common-track-deck.pdf
      engineering-track-deck.pdf
      sre-track-deck.pdf
      finance-ops-track-deck.pdf
      pam-track-deck.pdf
      attendance.gsheet
      acknowledgment-common.gform
      acknowledgment-engineering.gform
      ...
    /T1-ad-hoc-<YYYY-MM-DD>-<topic>/
    /T2-phishing-<YYYY-HH-NN>/
      campaign-config.md
      landing-page.html
      recipient-list.csv
      results.csv
      repeat-clickers.csv
  /onboarding/
    <new-joiner-module-v<N>>
  /content-library/     # re-usable decks, Form templates, phishing templates

All folders are owned by security@wealthy.in, edit access for CISO + HR, view access for internal auditors on request.

4. T1 β€” Annual Security Training Programme

4.1 Pre-session (2 weeks out)

  1. CISO + HR open the GitHub Issue using the Security Training Programme template; assign to themselves.
  2. Current year’s content is refreshed: common-track deck updated with any new DPDP / IRDAI / SEBI changes, role-track decks refreshed.
  3. Acknowledgment Forms for each track are cloned from the content library and dated for the current year.
  4. Google Classroom course Security Training <YYYY> is created; employees are enrolled via Workspace Admin bulk CSV.
  5. Google Meet is scheduled β€” one all-hands (common track), four role-track breakouts.

4.2 Session day

  1. Common track runs first (45 min), live on Meet, recorded.
  2. Role-track breakouts (45–75 min each): Engineering, SRE/Security, Finance/Support/Ops, PAM holders.
  3. Acknowledgment Form for each track shared in the call; completion is required within 48 hours.

4.3 Follow-up (within 7 days)

  1. Attendance pulled from Meet + cross-checked against Forms submissions into the attendance.gsheet.
  2. Absentees notified with a 7-day deadline to watch the recording + complete the Form.
  3. Persistent non-completers (>14 days) trigger account-access review per POL-025 Β§6.
  4. Completion % per track, per role logged in the GitHub Issue.

4.4 Sign-off

  1. Trainer(s), CISO, and HR sign the Issue.
  2. Issue closed with training label; all artefacts linked from the Issue body.

5. New-Joiner Onboarding (continuous)

  1. HR adds the joiner to Workspace; onboarding flow auto-enrols into Security Onboarding <YYYY> Classroom course.
  2. Joiner has 7 calendar days from start date to complete the module + pass the quiz with β‰₯ 80%.
  3. Production access is gated on quiz pass β€” SRE checks the Classroom completion report before granting access (IAM change request won’t be approved without it).
  4. HR logs completion in the joiner’s personnel record; a monthly GitHub Issue bundles all new-joiner completions for audit evidence.

6. T2 β€” Phishing Simulation

6.1 Gophish β€” ephemeral deployment on GKE

Gophish only needs to run for the ~7-day campaign window (Γ—2 per year, plus any ad-hoc). It is brought up at campaign launch and torn down at close; nothing is kept permanently live. Persistent state (SQLite DB, templates, recipient lists, historical results) lives outside the runtime in the Training Drive folder and the phishing-simulation/ folder of the security repo β€” restored on bring-up, snapshotted on tear-down.

Platform: GKE, security namespace (same namespace as Wazuh). Manifests + full runbook live in phishing-simulation/README.md in the security repo. Apply with kubectl apply -k . at bring-up, kubectl delete -k . at tear-down.

Key config:

Aspect Value
Image gophish/gophish:v0.12.1 (official)
SMTP Workspace SMTP relay via phish-sim@wealthy.in (real Workspace mailbox with app password)
Admin UI https://gophish.wealthy.systems β€” locked down via Istio AuthorizationPolicy to CISO + DevOps Workspace identities
Landing page https://login.wealthy.systems β€” public internet (recipients must be able to click)
State SQLite DB + templates + recipient CSVs snapshotted to Drive at tear-down, restored at bring-up

No separate domain is purchased β€” both hostnames use subdomains of wealthy.systems (already owned for docs.wealthy.systems, wazuh.wealthy.systems). TLS via the same *.wealthy.systems wildcard cert.

6.2 Campaign flow (per half-year β€” DevOps-scheduled, CISO-owned)

  1. CISO picks the next theme at the start of each half (OAuth-consent abuse, CEO fraud, courier delivery, payroll β€” rotate) and drafts the template + landing page.
  2. Template + landing page reviewed for realism and no actual harm; signed off by CISO.
  3. Recipient list pulled from Workspace (exclude contractors not in scope).
  4. DevOps schedules the send in Gophish for the agreed launch date β€” Gophish’s built-in scheduler handles the actual send, so no human needs to be at the console. Campaign runs over a 7-day window; results track live.
  5. After close (automated email from Gophish to CISO):
    • Results CSV exported (automated via Gophish API + launchd script).
    • Click rate, credential-entry rate, report rate computed; trend chart updated.
    • Repeat-offender list produced (anyone who clicked in any prior campaign).
    • 1:1 coaching scheduled for repeat offenders.
  6. Evidence filed in the GitHub Issue using the Phishing Simulation template.
  7. If click rate or repeat-offender rate breach POL-025 Β§6 targets, the cadence auto-raises to quarterly until restored.

6.3 Ad-hoc campaign triggers

  • Real phishing incident affecting Wealthy β€” re-test the same vector.
  • New joiner cohort (> 5 joiners in a month) β€” targeted mini-campaign after their onboarding.
  • New regulation / theme (e.g. DPDP Rules rollout) β€” targeted campaign.

7. Ad-hoc Training

Triggered by: post-incident retraining, regulation rollout, new major control, CTO / Compliance request.

  1. Issue opened with training label, session type = Ad-hoc and the trigger noted.
  2. Content is either an existing module (Classroom republish) or a short live session (Meet).
  3. Acknowledgment Form + attendance captured same as T1.
  4. Filed in /Security/Training/<YYYY>/T1-ad-hoc-<date>-<topic>/.

8. Evidence & Retention

All training evidence retained per regulatory retention (minimum 5 years for IRDAI / SEBI / CERT-In):

  • Classroom completion reports (exported annually to Drive)
  • Google Forms response CSVs
  • Attendance sheets
  • Training decks (versioned per year)
  • Gophish campaign exports
  • GitHub Issues with training / phishing-sim labels β€” the index into the above

9. Metrics Reporting

Reported quarterly to ISRMC, annually to the Board (driven by POL-025 Β§6):

Metric Source
T1 completion within grace window Classroom + Forms dashboard
New-joiner onboarding completion within 7 days Classroom report
T2 click rate (12-month rolling) Gophish trend
T2 repeat-offender rate Gophish repeat list
PAM-holder module completion Forms filtered to PAM role

10. Roles

Role Responsibility
CISO Training content ownership, phishing theme + template design, trend analysis, ISRMC reporting
HR Classroom enrolment, onboarding gating, attendance reconciliation, personnel records
DevOps Gophish host (Mac mini) uptime + upgrades, Cloudflare Tunnel, scheduled campaign launches per the CISO-agreed calendar, nightly backup of campaigns
SRE Production-access gating on Classroom completion
Engineering Managers Team-level completion chase, role-track Q&A host
Trainer(s) Session delivery (may be CISO, engineering lead, or external vCISO for specialised topics)

11. Year-2 Re-evaluation

At the 12-month mark, CISO reviews whether the in-house stack should be replaced by a paid LMS. Decision criteria:

  • Hours spent monthly on manual evidence stitching
  • Audit findings related to training evidence completeness
  • Click-rate / completion trends requiring finer role-based paths
  • Price of available LMS licences relative to team size

Outcome logged in the ISRMC minutes + POL-025 is updated if decision is to switch.

Reviewed semi-annually. Last revision: April 2026. Contact: security@wealthy.in.