Skip to content

Policy Trainings#10

Draft
openprivacy wants to merge 23 commits intomainfrom
policies
Draft

Policy Trainings#10
openprivacy wants to merge 23 commits intomainfrom
policies

Conversation

@openprivacy
Copy link
Copy Markdown
Member

@openprivacy openprivacy commented Apr 2, 2026

📝 Six trainings covering the 193 outcomes from the 17 information Security related Policies

This creates a new CP-Policies sub-folder with the six policy trainings
LiaScript course files (one README.md per training) with quizzes, ready for review and delivery:

📖 Description

A brief summary of the purpose and scope of this pull request. What problem does it solve or improve? Why is it needed now?

🔧 Type of Change

  • 📝 Documentation or non-code contribution

✅ Tasks to Complete

Peer review :

👀 Review Checklist

  • Documentation is clear and complete

🚀 Deployment Notes

Currently in draft state. Text for Trainings 1 and 2 is complete but not peer reviewed
Do we want to keep the CP-Policy sub-folder?

@openprivacy openprivacy marked this pull request as draft April 2, 2026 00:51
@openprivacy
Copy link
Copy Markdown
Member Author

openprivacy commented Apr 2, 2026

From #8

The one piece of the Data Handling Training not integrated is "cryptographic erasure is required when decommissioning devices, simple deletion or reformatting is not sufficient." This is lightly covered in Training 3 (IT Operations: Change, Configuration & Patch Management Module D — Endpoint Posture and Privileged Access). I don't believe we need to tell IT how to cryptographically erase, as modern encrypted disk key destruction handles it (and we get an ITAD cert).

@openprivacy
Clarify project description in README
18c3d7c 
Updated project description to clarify the source of learning outcomes and the nature of the training courses.
@openprivacy
add links to policy, plans
40e7d52
@openprivacy
IRP
2ce1f69
@openprivacy
FOSS, SBOM updates; to do: keys, tokens, creds
b13a2bb
grugnog
grugnog requested changes Apr 11, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@grugnog grugnog left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only about half way through, but figured I should share what I have - lots of feedback, but actually I think the training is really good - very clear and concise, just a few factual things to fix :)

Comment thread CP-Policies/drafts/01-security-awareness-essentials/README.md
Comment thread CP-Policies/drafts/01-security-awareness-essentials/README.md Outdated
Comment thread CP-Policies/drafts/01-security-awareness-essentials/README.md Outdated
Comment thread CP-Policies/drafts/01-security-awareness-essentials/README.md Outdated
Comment thread CP-Policies/drafts/01-security-awareness-essentials/README.md Outdated
- **Auto-lock** — your screen locks automatically after a short idle period
- **Automatic patching** — your OS and security software stay up to date

> **Important:** You must use your CivicActions-managed laptop for all work involving Internal, Confidential, or client data. Personal (BYOD) mobile devices can only be used for MFA prompts and communication apps — and even then, they need an MDM profile for isolation.
Copy link
Copy Markdown
Member

@grugnog grugnog Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think people will know what BYOD or MDM profile means - for the latter we can say something like "a mobile device may require specific security settings as part of login".

Copy link
Copy Markdown
Member

@grugnog grugnog Apr 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Quite a few uses of MDM elsewhere also

Comment thread CP-Policies/drafts/01-security-awareness-essentials/README.md Outdated
Comment thread CP-Policies/drafts/01-security-awareness-essentials/README.md Outdated
Comment thread CP-Policies/drafts/01-security-awareness-essentials/README.md Outdated
Comment thread CP-Policies/drafts/01-security-awareness-essentials/README.md Outdated
Comment thread CP-Policies/drafts/01-security-awareness-essentials/README.md Outdated
openprivacy
openprivacy commented Apr 14, 2026
View reviewed changes
Comment thread CP-Policies/drafts/01-security-awareness-essentials/README.md
- **Never use personal accounts** (like a personal Gmail) for CivicActions work
- CivicActions uses a `firstname.lastname@civicactions.com` naming convention — IT sets this up when you onboard. If your name matches someone else's, IT adds a middle initial or variation.

> **Example:** When you join, PeopleOps verifies your identity through Rippling. IT then creates your Google Workspace account, assigns you to the right groups and Slack channels, and issues your YubiKey — all before your first day.
Copy link
Copy Markdown
Member Author

@openprivacy openprivacy Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

places an order for your CivicActions laptop... is this true?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@grugnog grugnog grugnog requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@openprivacy @grugnog