Canada Luggage Depot - Secure SDLC
Training and Awareness

25. Training and Awareness #

25.1 Purpose #

Ensure everyone involved in the SDLC understands and can perform their security, privacy, and operational responsibilities so that Applications are designed, built, and run safely and compliantly.

25.2 Audience and scope #

Training applies to CLD personnel (ISO, Product/Process Owners, IT Operations, Vendor Manager, Legal/Privacy) and to vendor personnel who design, build, test, deploy, or support in‑scope Applications. Subprocessors providing material services must ensure relevant staff are trained to an equivalent standard.

25.3 Curriculum (minimum by role) #

  • All personnel (CLD and vendor): annual security and privacy awareness covering phishing/social engineering, acceptable use, data handling (Restricted data), incident reporting, and basics of PIPEDA and Quebec Law 25; refresher on Canada‑only residency default.
  • Product/Process Owners: requirements traceability, privacy by design/minimization, retention/deletion, subject‑rights workflows, residency exceptions and DPIA triggers; SDLC gates and acceptance evidence.
  • Engineers/Developers (vendor): secure coding (OWASP Top 10/Proactive Controls), API security (OAuth2/OIDC, input validation, schema enforcement), secrets management, file‑upload protections, logging/telemetry redaction, privacy by design, SBOM/SCA hygiene, and vulnerability remediation SLAs.
  • QA/Testing (vendor): security test coverage (SAST/SCA/DAST basics), test data protection/anonymization, abuse case testing, evidence capture.
  • DevOps/CI‑CD/Cloud (vendor): pipeline hardening, artifact signing, IaC/container security, secrets injection/rotation, change safety (canary/blue‑green), backup/restore runbooks, monitoring/alert routing, SIEM basics.
  • IT Operations (CLD/vendor): runbooks, on‑call and escalation SLOs, PIR/RCA methods, backup/restore validation, SIEM dashboards/queries, log privacy.
  • Legal/Privacy (CLD/vendor): DPIA workflow, residency exception package contents, breach‑of‑security‑safeguards assessment and notification coordination.
  • Vendor Manager (CLD): reading SOC 2/pentest/code‑scan summaries, POA&M oversight, subprocessor review, levers for non‑conformance.
PENDING: Any additional role‑specific modules required by CLD

25.4 Frequency and timing #

  • Onboarding: complete role‑appropriate training before access to Restricted data, admin consoles, or production systems is granted.
  • Recurring: complete annual refresher for all audience groups; engineers/DevOps/QA should complete role‑based secure SDLC refreshers annually. Tabletop drills for incident response at least annually (or per client requirements). PENDING: Confirm annual cadence and any additional frequencies

25.5 Delivery and validation #

Training may be delivered via e‑learning modules, workshops, or vendor programs, provided the content meets the curriculum and includes a knowledge check. For vendor staff, equivalent corporate programs are acceptable if mapped to these requirements. Completion requires a passing score of PENDING: __% or documented attendance for workshops. Practical drills (e.g., incident tabletop) must record participants and outcomes.

25.6 Preconditions for access #

Granting or retaining privileged access (admin roles, CI/CD administration, production consoles, SIEM) requires current completion of role‑appropriate training and acceptance of relevant policies (Information Security, Access Control, Incident Response, this SDLC Policy). Vendors must attest that assigned personnel are current before they perform work affecting CLD.

25.7 Records and evidence #

Maintain completion records (dates, modules, scores/attestation) for all CLD personnel and, for vendor personnel, either individual records or a vendor attestation with sample evidence on request. Retain records for at least PENDING: __ years and make them available to CLD or auditors upon request. PENDING: System/repository for training records

25.8 Effectiveness and improvement #

Annually review training feedback, common PIR/RCA themes, and audit findings to adjust curriculum (e.g., add modules on token TTLs, rate‑limits, logging redaction). Track completion rates and remediate gaps promptly (reminders, access suspension for non‑completion if needed). PENDING: Completion rate threshold (e.g., ≥ __%) and remediation approach

25.9 Vendor and subprocessor obligations #

Vendor contracts must require that personnel working on CLD’s Applications complete security/privacy and role‑based SDLC training at least annually and before privileged work. Subprocessors with material impact must meet equivalent training obligations and provide attestations or summaries upon request. Failure to meet training requirements may trigger corrective actions under the contract.

25.10 Exceptions #

Any deviation from these training requirements (e.g., temporary access before completion due to an urgent hotfix) requires a documented exception with scope, rationale, compensating controls (e.g., supervised session, limited privileges), owner, ISO recommendation, Executive Sponsor approval, and a completion deadline.