BTIT Staff Security Awareness and Training Process

Purpose

This process describes how BTIT ensures that all staff, contractors and key suppliers understand their security responsibilities and are equipped to recognise and respond to security risks in their day-to-day work. The focus is on practical behaviour: protecting customer data, safeguarding credentials and reporting issues quickly.

Scope

This process applies to:

  • All BTIT employees, regardless of role or seniority
  • Long-term contractors and consultants with access to BTIT systems or customer environments
  • Support staff working on BTIT-managed services for government and private sector clients

Security awareness and training lifecycle

  1. Induction and onboarding
  • Security induction: All new starters complete a security induction session within their first week. This covers acceptable use, password and MFA requirements, remote working expectations, data handling rules and how to report incidents.
  • Policy acknowledgement: New starters are required to read and acknowledge key policies, including the Password Policy, Identity Management and Protection Process, Privacy Policy and Incident Response Policy.
  • Account provisioning: Access is granted in line with the Access Control and User Management policy, using the principle of least privilege and MFA where required.
  1. Ongoing awareness and refreshers
  • Annual refresher training: All staff complete an annual security awareness refresher. This reinforces key topics such as phishing, social engineering, secure use of cloud tools, handling customer data and reporting suspicious activity.
  • Targeted training: Staff in higher-risk roles (for example, engineers with privileged access, system administrators and customer support handling sensitive data) receive additional, role-specific training on secure configuration, change management and incident handling.
  • Policy updates: When key security policies change, BTIT issues a short update and, where necessary, provides focused training or Q&A sessions to explain the change.
  1. Phishing and social engineering awareness
  • Simulated phishing: From time to time BTIT runs simulated phishing campaigns or equivalent exercises to help staff recognise suspicious messages and improve their response.
  • Just-culture feedback: Staff who click on simulated phishing links are given constructive feedback and additional guidance, without blame, to support a learning culture.
  • Reporting expectations: Staff are encouraged to report suspicious emails and messages immediately, even if they are not sure whether something is malicious.
  1. Secure use of tools and data
  • Data handling and privacy: Training includes practical guidance on using customer data appropriately, respecting privacy obligations, and complying with contractual and regulatory requirements relevant to government and private sector customers.
  • Remote work and device security: Staff are trained on securing laptops and mobile devices, using VPN and MFA for remote access, and avoiding insecure networks or personal storage for business data.
  • Use of AI and automation: Given BTIT’s focus on AI and digital transformation, training covers appropriate use of AI tools, including avoiding the introduction of sensitive or customer-identifiable data into public AI services without explicit approval.
  1. Incident identification and reporting
  • How to recognise an incident: Staff are trained to recognise early signs of a security issue, such as unexpected MFA prompts, unusual login alerts, suspected malware or misdirected emails.
  • Clear reporting channels: BTIT maintains simple, well-communicated channels for reporting security concerns (for example, a dedicated email address, service desk ticket type or escalation contact).
  • Immediate escalation: Staff are instructed to report incidents as soon as possible. The Incident Response Policy describes how BTIT triages and manages these events.
  1. Record-keeping and compliance
  • Attendance tracking: Completion of mandatory security training and refreshers is recorded as part of BTIT’s HR and compliance records.
  • Periodic review: Training content is reviewed at least annually, or after significant changes to BTIT’s services, threat landscape or relevant standards such as NZISM.
  • Customer and lead agency assurance: On request, BTIT can provide a summary of its security awareness programme, including completion rates and training topics, to customers or lead agencies as part of security due diligence.

Continuous improvement

BTIT treats security awareness as an ongoing practice, not a one-off exercise. Lessons from incidents, near misses, independent reviews and customer feedback are used to update training materials and awareness campaigns so that staff are kept up to date with emerging threats and best practice.