6.2 Security Training and Awareness

We place a high priority on security within our company, considering it not just the domain of our IT department but a responsibility shared by every member of our team. As such, we provide a thorough and rigorous security training program for all employees, contractors, and other members of our workforce who have access to sensitive information.

Training begins at the outset of a person's engagement with the company. From the first day, we instill an understanding of the critical role each individual plays in our overall security posture. The initial training program, which is mandatory for all new hires and contractors, covers the full gamut of our security policies and procedures.

The curriculum includes, but is not limited to:

• Recognizing and responding to potential threats: We train our team to identify common threat vectors, such as phishing emails, social engineering attempts, and malicious software. We believe in maintaining a proactive defense, which involves understanding not just how to respond to these threats, but also how to report them promptly to our security team.

• Safe internet practices: Given the remote nature of our operations, safe and responsible internet usage is paramount. We equip our workforce with the knowledge of secure browsing practices, the importance of using secure and trusted networks, and the dangers of public Wi-Fi when handling sensitive information.

• Proper handling of sensitive data: Our training emphasizes the significance of maintaining the confidentiality and integrity of client data. This includes instructions on proper data storage, transmission, and destruction, aligned with both our internal policies and regulatory requirements.

• Specific responsibilities in protecting information: We make it clear that every team member has a role to play in maintaining security. As such, we detail the specific responsibilities each individual holds, depending upon their role and the nature of the information they handle.

To keep our team's knowledge current and to address evolving threats, we update our training content regularly and conduct refresher courses at least annually. Ad hoc sessions are also organized in response to any significant changes in our systems, processes, or the broader threat landscape.

Lastly, we meticulously maintain records of all training undertaken. This not only serves as evidence of our commitment to security for regulatory bodies but also helps us identify gaps in our training program so that we can continually improve.

By integrating security training and awareness into our corporate culture, we aim to empower every individual in our organization to take an active role in safeguarding the data and trust bestowed upon us by our clients.