Administrative Procedure

AP-327 — Security Awareness and Training

Section Three: General School Administration

Effective Date: June 8, 2026 Last Reviewed: June 8, 2026

Background

An organization's technical security controls are only as effective as the people who use and interact with its systems. Social engineering, phishing, credential theft, and human error remain the primary vectors for security incidents in educational environments. A sustained security awareness and training program reduces the likelihood of successful attacks, strengthens incident reporting, and builds a security-conscious culture across the Division.

This procedure establishes the governance framework for the Division's security awareness and training program. It implements the awareness and training expectations in Policy 310 – Information Security Charter and aligns with NIST Cybersecurity Framework 2.0 function PR.AT (Awareness and Training).

Scope

This procedure applies to all Division employees, contractors, and volunteers who use Division information systems, networks, or devices.

Definitions

Terms not defined in this procedure have the meanings assigned in Policy 310 – Information Security Charter and A.P. 313 – Data Classification.

Business Email Compromise (BEC): A social engineering attack in which an attacker impersonates a trusted party (typically a senior leader, vendor, or colleague) via email to induce the recipient to transfer funds, share credentials, or disclose sensitive information.

Credential harvesting: A phishing technique that directs users to a fraudulent login page designed to capture their username and password.

Phishing simulation: A controlled, authorized exercise that sends simulated phishing emails to Division staff to assess awareness, measure response behaviour, and identify individuals who require additional training.

Privileged user: An individual with elevated system access beyond standard user permissions, including system administrators, network administrators, and individuals with access to administrative consoles, security tools, or backend systems.

Remedial training: Targeted training assigned to an individual following a security awareness deficiency, such as failing a phishing simulation. Remedial training is educational and not punitive.

Security awareness training: Training designed to educate users about cybersecurity threats, safe computing practices, and their responsibilities for protecting Division information assets. Distinct from privacy training under A.P. 323.

Responsibilities

Superintendent

• Participate in or designate participation in tabletop exercises per A.P. 321.

Access and Privacy Coordinator

• Coordinate joint privacy and security training delivery per A.P. 323.
• Ensure privacy training records are maintained separately from security training records.
• Advise on training content related to privacy-security intersections (for example, breach recognition).

Director of Technology

• Hold overall accountability for the Division's security awareness and training program.
• Approve phishing simulation campaigns and tabletop exercise scenarios.
• Maintain training completion records.
• Coordinate CIRT training delivery per A.P. 321.

Site Coordinators (School Principals)

• Ensure staff at their site complete required security awareness training.
• Support training compliance follow-up at the site level.

All Staff

• Complete required security awareness training within prescribed timelines.
• Report suspected phishing, social engineering, and security incidents per A.P. 321.
• Apply security practices learned in training to daily work activities.

Procedures

1. Security awareness program governance

1. The Director of Technology shall maintain a security awareness and training program that addresses the security threats, risks, and vulnerabilities relevant to the Division's information environment.
2. The Director of Technology shall develop an annual security awareness program plan. The program plan shall identify training topics, delivery methods, target audiences, phishing simulation schedule, tabletop exercise schedule, and success metrics for the upcoming year.
3. The security awareness training program shall be coordinated with the privacy training program under A.P. 323. Joint delivery of privacy and security training is permitted to minimize disruption to staff schedules, provided that:
   1. Privacy-specific content and security-specific content are clearly delineated within any jointly delivered session.
   2. Training completion is tracked separately for privacy and security components, in accordance with A.P. 323 record-keeping requirements.
   3. The Access and Privacy Coordinator is consulted on any training content that addresses privacy-security intersections, including breach recognition, personal information handling, and incident reporting.
4. The annual program plan shall account for lessons learned from security incidents (per A.P. 321), risk assessment findings (per A.P. 328), phishing simulation results, and staff feedback from the prior year.

2. Training requirements by audience

a. All staff

5. All Division employees, contractors, and volunteers who use Division information systems shall complete security awareness training covering the following topics:
   1. Phishing and social engineering recognition.
   2. Password security and multi-factor authentication.
   3. Device security (locking screens, securing laptops, removable media risks).
   4. Safe internet and email use.
   5. Physical security awareness (tailgating, clean desk, secure printing).
   6. Incident reporting procedures (per A.P. 321).
   7. Removable media and portable device risks.
   8. Recognizing and avoiding malicious attachments and links.

b. Privileged users

6. Individuals with privileged system access shall complete enhanced security awareness training annually, in addition to general training, covering:
   1. Elevated threats targeting administrative accounts.
   2. Administrative credential management and protection.
   3. Multi-factor authentication requirements for privileged access (per A.P. 320).
   4. Change management and configuration security (per A.P. 326).
   5. Vendor and supply chain compromise recognition (per A.P. 322).
   6. Insider threat awareness.
   7. Logging and monitoring responsibilities.

c. CIRT members

7. All CIRT members shall receive annual incident response training as required by A.P. 321, including training on incident response procedures under A.P. 321 and IM-003 – Incident Response Plan.
8. CIRT training delivery, scheduling, and documentation shall be coordinated by the Director of Technology.

d. New employees

9. All new employees, contractors, and volunteers shall complete security awareness onboarding training within 30 days of commencing their role, aligned with the privacy training onboarding timeline under A.P. 323.

3. Training content and curriculum

10. The Director of Technology shall maintain a training content library organized by audience (all staff, privileged users, CIRT members) and delivery method (monthly module, onboarding, just-in-time).
11. Lessons learned from security incidents (per A.P. 321) and near-misses shall be integrated into training content within 60 days of incident closure.
12. Training content shall incorporate real-world examples relevant to the educational environment, including threats targeting school divisions, student data, and educational technology platforms.

4. Delivery methods and frequency

13. The security awareness training program shall use the following delivery methods:
    1. Monthly modules: Short training modules (10 to 15 minutes each) distributed monthly via the Division's LMS or email-based training platform. Each module shall focus on a single security topic. Staff shall complete monthly modules by the end of the distribution month.
    2. Onboarding training: Security awareness training for new employees within 30 days of commencing their role.
    3. Just-in-time training: Targeted training delivered in response to specific events, including security incidents, emerging threats, new system deployments, or phishing simulation failures. Just-in-time training does not replace annual or monthly requirements.
    4. Phishing simulations: Controlled phishing exercises to assess and reinforce staff awareness.
    5. Tabletop exercises: Incident response scenario exercises for CIRT members, coordinated with A.P. 321.

5. Phishing simulation and testing

14. The Director of Technology shall conduct phishing simulation campaigns at least annually to assess staff ability to recognize and report phishing attempts. More frequent campaigns are encouraged where capacity permits.
15. Phishing simulations should use varied techniques across campaigns, including credential harvesting, business email compromise, malicious attachment delivery, and link-based attacks, to test a range of recognition skills.
16. Phishing simulations should be deployed during normal business hours and should target a representative cross-section of Division staff. Campaigns may target specific groups (for example, finance staff or administrators) based on risk assessment findings.
17. The Director of Technology should track phishing simulation metrics for each campaign, which may include delivery rate, click rate, report rate, and time-to-report. Metrics shall inform the annual program plan.
18. The Division shall conduct at least one tabletop incident response exercise annually, as required by A.P. 321. Tabletop exercises shall be planned and facilitated by the Director of Technology, with participation by CIRT members and the Superintendent or designate.
19. Lessons learned from tabletop exercises shall be documented and incorporated into incident response procedure updates (per A.P. 321) and the annual security awareness program plan.

6. Tracking, compliance, and enforcement

20. The Director of Technology shall maintain a training tracking system that records, for each individual: training modules completed, completion dates, expiry dates, phishing simulation results, and compliance status.
21. Security awareness training records shall be maintained separately from privacy training records, even where training is delivered jointly, in accordance with A.P. 323 record-keeping requirements.
22. Training completion records shall be retained for a minimum of three years, consistent with privacy training record retention under A.P. 323.
23. Staff who fail to complete training within prescribed timelines may have their access to Division systems restricted in accordance with A.P. 320 – Information Access Control.
24. Non-compliance escalation shall proceed as follows: automated reminder at mid-month, final reminder five days before deadline, notification to Site Coordinator after deadline, and access restriction if training remains incomplete after a grace period.

Review

This procedure shall be reviewed every three years by the Director of Technology, or earlier if triggered by:

• A significant security incident or series of incidents indicating awareness gaps
• Changes to applicable legislation (POPA, ATIA) or OIPC guidance
• Significant changes to the Division's threat landscape or information systems environment
• Changes to NIST CSF or other applicable security frameworks
• Direction from Senior Administration or the Board of Education

Cross reference

• Policy 310 – Information Security Charter
• Policy 311 – Privacy and Access to Information
• A.P. 312 – Technology Acquisition and Use
• A.P. 313 – Data Classification
• A.P. 320 – Information Access Control
• A.P. 321 – Information Security Incident Response
• A.P. 322 – Third-Party and Vendor Risk Management
• A.P. 323 – Privacy Management
• A.P. 326 – Technical Security Controls
• A.P. 328 – Risk Management Framework
• IM-003 – Incident Response Plan

Legal references

• Education Act, SA 2012, c E-0.3
• Protection of Privacy Act, SA 2024, c P-28.5
• Protection of Privacy (Ministerial) Regulation, Alta Reg 143/2025
• Access to Information Act, SA 2024, c A-1.4