IT001: Timex Group IT Employee Policies

Acceptable Use Policy

Purpose

This policy is intended to protect Timex Group, its employees, customers, and partners from illegal or damaging actions by individuals, either knowingly or unknowingly. This policy also outlines the acceptable use of computing equipment and electronic communications within Timex Group. Inappropriate use and action may expose Timex Group to risks, including viruses, malware, ransomware, and other cyberattacks, which could compromise network systems and services, lead to legal issues, and have adverse financial impacts.

Scope

This policy applies to the use of Timex Group computer equipment, networks, and applications by employees, contractors, consultants, and other workers at Timex Group, including all personnel affiliated with third parties. This policy applies to all activities that utilize computer equipment, networks, and applications owned, leased, or otherwise managed by Timex Group.

Definitions

Term

Definition

Blogging

Writing a blog. A blog (short for weblog) is a personal online journal that is frequently updated and intended for public consumption.

Social Networking

The use of dedicated websites and applications to interact with other users, or to find people with similar interests to oneself.

Spam

Unauthorized and/or unsolicited electronic mass mailings.

File Sharing Tools

These are various online file-sharing tools that enable users to upload and store data or files to share with colleagues or friends, which can be accessed remotely on any device. Some of the tools include Apple iCloud, Dropbox, Hightail, SugarSync, Google Drive, Minus, WeTransfer, Box, DropSend, SendSpace, iTransfer, TransferBigFiles, SendThisFiles, OneDrive, OneHub, Droplr, CloudApp, Egnyte, Ge.tt, 4shared, MediaFire, and Others.

Policy

The Company owns and extensively utilizes Information Technology, including, but not limited to, computer equipment, business applications, software, storage media, networks, electronic communications, and the information processed by or maintained within these technologies. This Information Technology always remains the property of the company and access may be provided by Timex Group to employees or agents of the company to promote efficiency of the Company’s worldwide business operations and to be used for business purposes in serving the interest of the Company, and for our clients and customers during normal operations. Adequate security is a team effort involving the participation and support of every Timex Group employee and affiliate who deals with information and/or information systems. It is the responsibility of employees to be familiar with these policies and guidelines and to conduct their activities accordingly, in a business-like manner and with uncompromising integrity.

General Use and Ownership

While Timex Group desires to provide a reasonable level of privacy, users should be aware that the data they access using company Information Technology remains the property of Timex Group. Because of the need to protect Timex Group’s assets, management cannot guarantee the confidentiality of the information processed and/or stored by any Information Technology belonging to Timex Group. Employees do not have a privacy right in any material created, received, stored, or transmitted by these technologies. They should not make use of these systems with any expectation of privacy concerning such material.
Timex Group proprietary information stored on electronic and computing devices, whether owned or leased by Timex Group, the employee, or a third party, remains the sole property of Timex Group. You should ensure, through legal or technical means, that proprietary information is protected in accordance with the Data Protection Standard of the Company.
You have a responsibility to promptly report the theft, loss, or unauthorized disclosure of Timex Group proprietary information. Including the loss or theft of employee-owned computing equipment that stores Timex Group Information.
You may access, use, or share Timex Group proprietary information only to the extent it is authorized and necessary to fulfill your assigned job duties.
Employees are responsible for exercising good judgment and care regarding the use of Timex Group technology. Timex Group requires that any information that is considered sensitive or vulnerable should always be encrypted if transmitted or transported outside of Timex Group facilities.
For security and network maintenance purposes, authorized individuals within Timex Group may monitor data, equipment, systems, and network traffic at any time.
Timex Group reserves the right to audit data, networks, and systems periodically to ensure compliance with this policy.

Security and Proprietary Information

All computing devices that connect to the Timex Group network (including VPN) are subject to the general provisions of this policy and other posted IT policies
System-level or user-level passwords should comply with the Identity and Access Management Policy. Providing access to another individual, either deliberately or through failure to secure their access, is prohibited.
All computing devices should be secured with a password-protected screensaver with an automatic activation feature set to 20 minutes or less. You should lock the screen or log off when the device is unattended.
Postings by employees from a Timex Group email address or Account to Social Media sites/services are prohibited unless the posting is during approved business duties. Employees should use extreme caution when opening email attachments received from unknown senders, which may contain malware. Employees are expected to treat email as an unsecured communication and to take caution when directed to specific sites or applications via email communication (always access applications from known/trusted links and avoid accessing applications from links provided whenever possible).
All computers used by the employee that are connected to the Timex Group internet and intranet, whether owned by the employee or Timex Group, shall be continually executing approved endpoint security software with a current threat database unless agreed in writing by IT management.
Use only software that has been approved and provided by the IT organization. Employees are responsible for ensuring that any software installed on a computer by someone other than the IT organization is endorsed by IT and is appropriately licensed; any use of unlicensed software is a strict violation of Company policy and subject to immediate disciplinary action.
Employees are responsible for the content of all text, audio, images, or other electronic media that he/she transmit to ensure compliance with this and other Company policies, especially on external communications.
Employees are responsible for ensuring that all data and information produced by or for Timex Group is maintained in a company Server or file share such as SharePoint or OneDrive, to safeguard the value of the information. All data and information produced by or for Timex Group should not be stored in any public cloud, or any form of public repositories, or online file sharing tools outside of Microsoft 365 services without written approval from IT management.
Tampering with or disabling any security, monitoring, management, or other controls placed on a company-provided PC is prohibited without prior written approval of the CIO. Such actions include but are not limited to: disabling endpoint security software, firewall settings, lock screen settings, or removal of any client management software.

Unacceptable Use

The following activities are, in general, prohibited. Employees may be exempted from these restrictions during their legitimate job responsibilities. Under no circumstances is an employee of Timex Group authorized to engage in any activity that is illegal under local, state, federal, or international law while utilizing Timex Group-owned resources.

Systems and Network Activities

Violation of the rights of any person or Company protected by copyright, trade secret, patent, or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of “pirated” or other software products that are not appropriately licensed for use by Timex Group.
Unauthorized copying of copyrighted material, including, but not limited to, digitization and distribution of photographs from magazines, books, or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which Timex Group or the end users do not have an active license is strictly prohibited.
Introduction of malicious programs into the network or server (e.g., malware, ransomware, viruses, worms, Trojan horses, email bombs, etc.)
Revealing your account password to others or allowing use of your account by others. This includes other employees, family members, and household members when work is being done at home.
Using a Timex Group computing asset to engage in procuring or transmitting sexually explicit material actively is in violation of sexual harassment or hostile workplace laws in the user’s local jurisdiction.
Making statements about warranty, expressly or implied, unless it is part of regular job duties.
Affecting security breaches or disruptions of network communication. Security breaches include accessing data intended for an employee's designated recipient or logging into a server or account to which the employee is not expressly authorized to access, unless these actions fall within the scope of the employee's regular duties. For this section, “disruption” includes network sniffing, ping floods, packet spoofing, denial of service, and forged routing information for malicious purposes
Executing any form of network monitoring that will intercept data not intended for the employee’s host, unless this activity is a part of the employee’s regular job/duty.
Circumventing user authentication or security of any host, network, or account.
Introducing honeypots, honeynets, or similar technology on the Timex Group network.
Interfering with or denying service to any user other than the employee’s host (for example, denial of service attack).
Using any programs/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user’s computer session, via any means, locally or via the internet, intranet, or extranet.
Providing information about, or a list of, Timex Group employees to parties outside Timex Group.
Avoid accessing explicit websites using the Company’s PCs and laptops.

Email and Communication Activities

When using Company resources to access and use the Internet, users should be aware that they represent the Company. Whenever employees state an affiliation to the Company, they should also clearly indicate that “the opinions expressed are my own and not necessarily those of the Company”. Questions may be addressed to the IT Department and or HR/Legal Department.

Sending unsolicited email messages, including the sending of “junk email” or other advertising materials to individuals who did not specifically request such material (email spam).
Any form of harassment via email, telephone, or text, whether through language, frequency, or size of messages.
Unauthorized use, or forging, of email header information.
Creating or forwarding “chain letters”, “Ponzi” or other “pyramid” schemes of any type.
Use of unsolicited email originating from within Timex Group’s network of other internet/intranet service providers on behalf of, or to advertise, any service hosted by Timex Group or connected via Timex Group’s network.
Use of a Company email address in any public domain posting. The company email is provided only to be used for official Timex Group business. Occasional use of the Company email for personal communication is acceptable.

Blogging and Social Networking Activities

Blogging and social networking (Facebook, Twitter(X), YouTube, LinkedIn, Instagram, Pinterest, Tumblr, etc.) by employees, whether using Timex Group’s property and systems or personal computer systems, is also subject to the terms and restrictions outlined in this Policy. Limited and occasional use of Timex Group’s systems to engage in blogging is acceptable if it is done professionally and responsibly, does not otherwise violate Timex Group’s policy, is not detrimental to Timex Group’s best interest, and does not interfere with an employee’s regular work duties. Blogging and social networking from Timex Group’s systems are also subject to monitoring.
Employees are prohibited from revealing any Timex Group confidential or proprietary information, trade secrets, or any other material covered by Timex Group policy.
Employees shall not engage in any blogging and social networking that may harm or tarnish the image, reputation, and/or goodwill of Timex Group and/or any of its employees. Employees are also prohibited from making any discriminatory, disparaging, defamatory, or harassing comments when blogging and social networking or otherwise engaging in any conduct prohibited by the Company’s Non-Discrimination and Anti-Harassment Policy.
Employees may also not attribute personal statements, opinions, or beliefs to Timex Group when engaged in blogging and social networking. Suppose an employee is expressing his or her beliefs and/or opinions in blogs. In that case, the employee may not, expressly or implicitly, represent themselves as an employee or representative of Timex Group. Employees assume all risk associated with blogging and social networking.
Timex Group’s trademarks, logos, and any other Timex Group intellectual properties may also not be used in connection with any blogging and social networking activities.

Enforcement

Timex Group management will verify compliance with this policy through various methods, including but not limited to business tool reports, internal and external audits, and feedback to the policy owner.
Any exception to the policy should be approved in writing by the Management team in advance and maintained for future reference.
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Exceptions

Exceptions to this policy require approval by the Chief Information Officer or by her or his designee. To request an exception, submit an Information Security Exception request to the Timex IT Department.

References

NIST SP 800-53 R5 Access (AC) Control Family

Device Management Policy

Introduction

This policy is to define standards, procedures, and restrictions for end users to obtain and use personal or Timex Group (the “Company”) provided devices to perform the functions of their job with the Company. This policy is designed to maintain the security and integrity of the Company's data and technology infrastructure. Limited exceptions to the policy may occur due to variations in devices and platforms.

Scope

All Employees and Representatives of the Company must adhere to this policy. This policy applies to all devices that connect to Timex Group network, applications, or data. Representatives: Within the scope of this policy, “Representatives” refers to contractors, consultants, temporary and other workers at Timex Group, including all personnel affiliated with third parties who have access to or are requesting access to Timex Group computing resources. Devices: Within the scope of this policy, “Device” refers to laptops, desktops, tablets, smartphones, cellular phones, personal digital assistants (PDAs), and any mobile device capable of storing data and connecting to a network. This includes any form of wireless communication device capable of transmitting packet data.

Device Ownership

The policies defined within this document apply fully to all devices that Timex Group allows, authorizes, or otherwise connects to Timex Group networks, applications, or data, regardless of device ownership. Specifically, any employee-or representative-owned device (“Personal Device”) shall be covered by this policy when granted access to Timex Group network, application, or data. All policy provisions are assumed to cover both company-owned and personal devices unless specifically noted in the policy statements.

Company-Provided Devices

The Company will, at its discretion, identify guidelines for providing Company-owned devices to employees or representatives. These guidelines will be established for the benefit of the Company. They may differ across Locations, Business Units, or Job Classifications as necessary to meet the business objectives of Timex Group. This policy does not grant employees or representatives any specific right to the use of a company-owned device or approval to connect personal devices to the Timex Group network.

Policy

Timex Group provides and/or allows the use of devices by employees or representatives to conduct business and promote the efficiency of operations that serve the interest of the Company, its clients, and customers. Timex Group reserves the right to revoke this privilege at any time. Users are expected to abide by the policies and procedures outlined within this document, and the Company will take appropriate action to ensure compliance with the policy.

General Provision

Portable/Removable Storage devices are not subject to the full policy restrictions defined within this document; however, IT has provided guidelines that govern the use of these devices while attached to either company-issued or personal devices. All employees and representatives of Timex Group are responsible for using storage devices according to the published guidelines. The IT department may implement additional restrictions regarding the use of storage devices as appropriate and based on general or location-specific business objectives.
All company-issued devices must be requested and approved using the current Service Request Process. The IT department is responsible for delivering and maintaining records of all company-issued devices. Company-provided devices will be issued from available inventory, and employees and/or representatives are NOT entitled to new equipment; inventory will be managed at the discretion of IT. Employees are generally limited to one client device unless specifically approved in writing by the CIO.
Company-issued devices remain under the control of the IT organization and may be reclaimed, refreshed, retired, or otherwise modified at the direction of the IT department.
The IT department will set the standards for all company-issued devices, including network/wireless service Providers, where applicable. The IT department MAY, at its discretion, provide specific guidelines on preferences or restrictions regarding personal devices. Employees are encouraged to contact the IT department in advance of any purchases to confirm their Personal Device's ability to access Times Group resources.
The IT department may require the installation of software on personal devices before connecting to any Timex Group network, application, or data (“Mobile Device Management MDM Software”). Such software will be installed to set security policies on the Personal Device as deemed appropriate by Timex Group to secure Timex Group's information access. Device policies may be set to include, but not limited to, Password Policy enforcement and the encryption of Timex Group information or information transmitted electronically using Timex Group systems. Timex Group may at any time remove such MDM Software and associated data from such personal device.
Employees who request access from their personal device bear the sole risk that the installation and/or removal of the MDM Software may affect or delete their data. Employees are strongly encouraged to (1) use Company-provided devices rather than a Personal Device and (2) maintain backups for any personal data kept on a Personal Device.
Timex Group may use physical or logical controls to inspect Personal Devices before allowing its connection to Timex Group networks or applications; Timex Group may require, at the Company’s discretion, 3rd third-party security application, including endpoint security software or similar software, to be installed and maintained before granting access.
The IT department will provide limited “Best Effort” support for provisioning of personal devices to access Timex Group networks, applications, or data. All such requests for assistance must be logged as a Service Request in the IT Service Management System. Users of personal devices are expected to be fully familiar with the configuration dialogs of their specific device and all locally installed applications. The IT department may make specific corporate applications available for installation on common platforms; however, such support is not guaranteed and may become obsolete due to changes to the Timex Group infrastructure or applications.
Non-company-issued personal computers are NOT allowed to connect to the Company’s internal network either directly or by VPN, except under special circumstances as approved by the CIO.
The Company will provide Guest Network access at approved locations as a convenience for visitors and employees; where provided, these Guest networks will be generally unsecured and isolated from the core company network. Access to such Guest Networks from personal devices is NOT subject to the provisions of this policy (access is subject to the Acceptable Use policy).
The Company may restrict or limit the use of personal devices that contain recording capabilities (Voice, Video, Images); in such cases, Facilities or IT management will ensure appropriate procedures are in place, preventing use within any restricted areas, including laboratories, data centers, and manufacturing floors.
Representatives may be required to provide a signed acknowledgement in a form acceptable to the Company before using any Personal Devices to access Timex Group networks, applications, or data.
The Company reserves the right to refuse, by physical and non-physical means, the ability to connect personal devices to the Company network infrastructure. For example, the use of personal devices that are “jailbroken,” "rooted," or have been subjected to any other method of altering built-in protections is not permitted and may result in the refusal of connection to the Company's network infrastructure.
Any exceptions to this policy must be documented in a Service Request and first approved by the employee’s direct manager, along with a business justification for the exception. The IT department MAY request the employee or manager to secure approval from the employee’s respective corporate VP or the location’s Senior Manager. The CIO will make the final determination for any policy exceptions based on the input and approvals obtained.
IT shall periodically review this policy and make recommendations for changes based on the available technology and current business requirements.

Usage

Usage of Timex Group-issued devices is always subject to the terms of the “Acceptable Use Policy”.
Usage of personal devices is subject to the terms of the “Acceptable Use Policy” while connected to or making use of Timex Group networks or applications. Employees or representatives of Timex Group are responsible for any violations of the policy from a personal device, even if the intended usage is of a private and personal nature, if the electronic information is processed by Timex Group network or applications.
Usage of personal devices is subject to the terms of the “Access and Identity Management Policy” when accessing Timex Group Networks, Applications, or data.
The Company does NOT perform backups of Data stored locally on devices; Employees and representatives of Timex Group must ensure that all critical data is stored on a Company Server (i.e., File Server, SharePoint Server, OneDrive, Application, or other Company-provided secured storage solution). Company Servers are provided exclusively for Company data and are not to be used to store personal use files or data.
Employees and representatives of Timex Group are advised that the Company owns all information stored on company-owned devices, and there should be no expectation of privacy concerning such information.
Timex Group networks should be used for business purposes only, excluding incidental personal use.
Employees and representatives are required always to use reasonable care when in control or possession of Company-issued devices, including physical and logical (security) control. Specific local policies may hold employees and representatives responsible for the costs of replacing or repairing devices where appropriate care is not provided.
The Company assumes no responsibility for the costs of personal devices unless explicitly defined under the terms of a reimbursement policy; without limitation, this includes the device costs, network costs, insurance, repairs, etc.
Employees assume full liability for risks associated with personal devices while connected to the Company’s network or applications including, but not limited to, the partial or complete loss of personal data due to an operating system crash, errors, bugs, viruses, malware, and/or other software or hardware failures, or programming errors that render the device unusable.
User Safety – employees and representatives must comply with all country and local laws and regulations guiding the use of mobile phones and tablets, including those concerning automobile safety. Users are instructed not to talk, text, or otherwise communicate via an endpoint device while driving

Lost or Stolen Devices

Employees or representatives must take immediate action in the event a device or a removable storage device is lost or stolen. By acting immediately, IT can take action to limit any potential exposure to information or otherwise limit the potential risk. Employees and representatives should immediately notify the Service Desk when a device is lost or stolen. The Service Desk should be provided with all available information regarding the device. Employees are requested to contact the Service Desk via phone whenever possible to expedite security-related actions.

Enforcement & IT Controls

The Company will respect the privacy of your device and will only request access to the device by technicians to implement or audit security controls, as outlined in this policy, or to respond to legitimate discovery requests arising out of administrative, civil, or criminal proceedings (applicable only if user accesses Timex Group networks, applications, or data from their personal device).

Portable/Removable Storage Device Usage

The following are general guidelines and requirements for using removable storage devices connected to computing devices. Employees and representatives MUST be keenly aware of the nature (Confidentiality, Proprietary, Intellectual Property, etc.) of any data that is placed on a removable storage device; by using such devices, employees or representatives assume a duty to always safeguard that data appropriately.

Employees and representatives are responsible for maintaining copies of all Company data and electronic work product on Company applications, file Servers, SharePoint sites, and OneDrives always; Such Company information is NOT to be primarily stored on portable or removable media. In this context, the employee's or representative's locally stored information is not considered a secure copy of the data.
Confidential data should not be transported on removable media
When transporting Confidential data on removable media, employees or representatives of the company must only use IT-approved media. The Company will provide appropriate media when transportation of such data is required.
Employees and representatives are reminded that information stored on removable media is not rendered unreadable by simple “File Deletion” activities. When discarding removable media, employees or representatives are instructed to use certified physical media destruction providers or to return the removable media to IT for destruction after transporting Company data.
Employees or Representatives of the Company are expressly prohibited from using any Cloud Storage providers, other than approved standard providers, for the transportation or storage of confidential data unless the provider is agreed in writing by IT management. Company file-sharing services are available upon request.
Confidential data should be stored on Removable Media for the shortest time possible to meet the business requirements or legal obligations of the Company.

Identity and Access Management Policy

Purpose

The purpose of this policy is to inform all employees of the definitions of required access control measures for all Timex Group systems and applications to protect the privacy, security, and confidentiality of the company information assets and systems.

Scope

This policy applies to all employees and those responsible for managing information access, user accounts, and network access. This policy covers all information access points, including corporate systems, local entity systems, and 3^rd party systems or services accessed as approved and/or provisioned by a Timex Group entity.

Definitions

Term

Definition

Identification

Authentication

The authentication process determines whether someone or something is who or what it is declared to be.

Authorization

Authorization is the process of granting permissions to authenticated users.

Policy

Identification

Identification is the process of assigning a unique identifier (aka Employee ID, User ID, Username, or Account ID) to every individual or system. Identification is essential to enable decisions about the levels of access that should be given to systems and/or information. The IT administration resources are responsible for assigning unique identifiers to employees because of an Approved Access Request.

Authentication

The authentication process determines whether someone or something is, in fact, who or what it is declared to be. Authentication validates the identity of the person. Authentication involves presenting both an Identification (ID) and a Challenge (i.e., a Password or PIN that is known only to the account holder).

All users are responsible for protecting their systems' credentials (ID and Passwords/PINs) and should not share credentials with anyone. If a user suspects their credentials have been compromised, they should change their password immediately or contact the Service Desk to have their password changed.

Authorization

Authorization is the process of granting permissions to authenticated users. Authorization grants the user, through technology or process, the right to use the information assets and determines what type of access is allowed (read-only, create, delete, and/or modify). The system or application should determine if the user has permission to perform the requested operation.

Users are not permitted to access sensitive data unless the Manager or Superuser has established business processes. The IT organization is responsible for administering the Authorization process as approved by management, including obtaining Superuser approval, as documented. The IT organization will administer appropriate systems and controls to demonstrate an auditable Authorization process based on Approved access requests for all access provisioned by the IT organization.

An Approved Service Request form/process must be used to add, change, or delete existing access privileges to Timex Group systems that contain sensitive information. Employees may contact the Service Desk for assistance in identifying the current forms and/or processes required for requesting authorization. The IT organization will retain appropriate electronic records for all requests and approvals related to Authorization for a minimum of the 1^st quarter following the fiscal year in which the authorization was requested.

New Hire: An onboarding request is supported by IT to facilitate the creation of many common accounts needed by a new employee in a single request. The Hiring manager is responsible for ensuring that appropriate requests are processed for the new employee. Additional Service Requests may be needed to provision all the system access required for a new employee.

Terminations: Managers are required to notify the HR organization immediately of all terminations and resignations. The HR organization is responsible to inform the IT department by submitting the appropriate Offboarding Request at the time of termination and resignation. Note: Any “Hostile” terminations are to be reported by an HR representative directly to the Service Desk via a Phone Call, and the HR representative is to declare a Hostile Termination specifically.

The HR organization and the hiring manager are responsible for taking control of all computing devices immediately at termination. Failure to do so prevents effective control over access to information and systems. Terminated employees are never to be allowed to retain Timex computer equipment after the termination date.

Transfers: For all changes in a job position, a Service Request must be submitted to IT by HR detailing all required changes in the employee’s access. Specifically, IT does NOT remove existing access unless specifically directed to do so.

IT strongly implies that the Transfer request approves IT to remove “All Access from All Systems” except for what is explicitly requested on the Transfer request. In this case, common access, such as email and Network Access, must be specified on the transfer form to retain current accounts.

Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Security Awareness Training Program

Introduction

This program, as described herein, will provide Timex Group with a comprehensive and measurable awareness program. Based on the globally recognized NIST SP800-16 and NIST SP800-50 standards for Information Technology Security Training and industry-recommended practices, the program will help ensure that Timex Group is proactively identifying and addressing the security risks presented by people.

Scope

This program addresses the security awareness and training needs of all Timex Group departments, divisions, locations, roles, and responsibilities. It will assist Timex Group with designing, planning, and implementing a security awareness and training program. The intended audience includes, but is not limited to, employees, contingent workforce, and those with access to Timex Group Systems. An awareness program should be aimed at all levels of the organization, including senior leadership.

A successful security awareness and training program identifies and explains the proper behaviors when handling different devices and information. Success also relies on security awareness and training becoming part of the organization’s culture. The program will communicate the guidelines, policies, and best practices that must be followed.

Program Considerations

Timex Group has considered the following areas when designing and implementing a security awareness program:

The employees and contingent workforce members or team that will be responsible for overseeing the implementation and maintenance of the program.
Timeframe for completion of the security training for new hires.
A need for training due to compliance or regulatory requirements to meet.
Frequency of training and testing (e.g., annually, quarterly, monthly).
The type of training content and methods by which training will be delivered.
Groups, employees, and contingent workforce members to include in the training.
Time constraints and availability.
Senior leadership buy-in to carry out training and testing; and
How non-compliance will be handled and enforced.

This program will be delivered over three years and may include, but is not limited to:

Instructor-led training.
Computer-based training using quizzes, tests, or videos; and
Social engineering.

While this program describes the collective awareness efforts across all Timex Group departments, it is anticipated that specific role-based training and awareness may be required for each audience.

Roles & Responsibilities

IT and HR:

Responsible for implementing, developing, and maintaining Timex Group's overall Awareness Program.
Responsible for coordinating with organizational departments and units to ensure training participation and completion.
Responsible for scheduling and conducting remote training, remote table events, computer-based training, and/or performing any social engineering testing.

HR: Responsible for tracking attendance of training sessions in personnel files and obtaining and filing any attestations, post-training quizzes, or tests.

Policy

Awareness and Training Strategy

Employees and contingent workforce members will be required to take general security awareness training at least quarterly. The organization's new hires will have 90 days to complete their initial security awareness training.

Information Security and Cybersecurity Best Practices

This training is offered via pre-recorded training video or live session based on the NIST SP800-16 (See References) standard and recommended practices. This training typically takes 60 minutes to complete. At a minimum, the training will cover:

Current Threats and Common Attacks
Data Protection
Security Policies and Procedures
Privacy
Recommended Security Best Practices for:
1. Passwords
2. E-Mail
3. Web Browsing
4. Mobile Devices
5. Social Media
6. Wireless Networks
7. Antivirus
8. Social Engineering
  1. Phishing
  2. Vishing
9. Physical Security
Identifying and Responding to Incidents

Additional Training Areas

All additional Awareness trainings are pre-recorded video or live session education based on various relevant regulations, laws, and commercial requirements targeting groups of people with specialized roles, privileges, or risks. Additional training topics may include, but are not limited to:

Payment Card Industry (PCI)
Data Classification Handling Procedures
Cybersecurity for IT
Cybersecurity for Senior Management/Leadership
Cybersecurity for Travelers
EU General Data Protection Regulation

Training Metrics

The security awareness program should capture metrics measuring overall human risk and behaviors. The metrics should ensure that the organization’s awareness program is compliant with regulatory requirements and that human behavior is changing. Additional metrics that can be captured, but not limited to, are:

Number of employees and contingent workforce that attended the last training.
Number of users reporting phishing attacks.
Number of infected devices (monthly).
Number of users falling victim to phishing attacks (monthly).
Number of password resets (monthly).
Number of security events reported to IT or Information Security; and
Number of users who fail sanctioned phishing tests.

Additional assessments may be necessary to capture the overall effectiveness of the security awareness program.

Testing/Assessments

Social Engineering—In the context of information security, social engineering refers to the psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for information gathering, fraud, or system access differs from a traditional "con" in that it is often part of a more complex fraud scheme.

Social engineering tests should be conducted regularly to continuously measure the susceptibility of employees and contingent workforce members to common attacks. Tests and assessments may be delivered in the following formats:

Phishing – Sending e-mails with links, attachments, and other requests.
Physical – Physical impersonation or intrusion to access control areas or physical walk-through of office space to detect security deficiencies or violations.

Results of social engineering tests will be incorporated into the overall program and tracked.

Title

Audience

Frequency

Security Awareness Training

All Employees and Contingent Workforce Members

Quarterly

Security Awareness Training Phishing

All Employees and Contingent Workforce Members

Monthly

Non-Compliance

The IT department will collaborate with Human Resources to ensure that all employees and contingent workforce members complete their required training. If an employee or contingent workforce member fails to complete their security training, the organization will take the following actions:

Employees and contingent workforce members will be notified of their non-compliance.
If training is not finished within the required timeframe, the employee's or contingent workforce member’s manager or supervisor will be notified.
Failure to complete training after additional notification may lead to loss of access to the organization’s systems and/or additional sanctions deemed appropriate by Human Resources.

Enforcement

Failure to comply with this Policy may result in disciplinary action, including the termination of employment or contracts, suspension of system access, or legal action, depending on the severity of the violation.

Exceptions

Exceptions to this policy require approval by the Chief Information Security Officer or by her or his designee. To request an exception, submit an Information Security Exception request to the Timex Group IT Department.

References

NIST SP800-16 and NIST SP800-50

Ownership and Review

This document is owned by IT and HR

This document shall be reviewed on an annual basis.