Use Secureframe’s built-in compliance training to meet framework-specific awareness requirements. Each module includes short video lessons, an embedded quiz and automatic progress saving. Plan ~30 minutes per course.

Enabling Training

Before assigning training modules, Admins must enable training in Employee Onboarding Settings:

• Go to Personnel and click the gear icon in the top right corner.

• Open the Onboarding tab.

• Review and enable the Training section (along with other relevant sections like Policies, Background Check, and Secureframe Agent).

• Assign training to the appropriate groups (e.g., Employees, Contractors, CCPA, or custom HR groups).

⚠️ The groups you select here will determine which personnel are required to complete the assigned training during onboarding and recurring cycles.

Security Awareness Training

Covers:

• Introduction to Phishing – How attackers impersonate trusted entities to trick individuals into revealing sensitive data (e.g., passwords, credit card numbers).

• How to Protect Against Phishing – Best practices such as verifying sender identity, avoiding suspicious links, and reporting suspicious emails.

• Ransomware – What it is, how it encrypts or locks systems, and its impact on businesses.

• Password Management – Importance of strong, regularly updated passwords and the use of password managers.

• Multi-Factor Authentication (MFA) – How MFA adds an extra layer of protection by requiring a second verification step.

• Mobile Device Security – Using strong passcodes, keeping software updated, and enabling remote wipe features to protect sensitive data.

• Misuse of Systems – Risks of accessing unauthorized data or resources and how this can lead to breaches or compliance violations.

• Insider Threats – Potential harm from employees/contractors misusing access, either intentionally or unintentionally.

• Information Spillage – Accidental disclosure or mis-sending of sensitive data, leading to potential breaches or compliance issues.

Who should take it: All employees and contractors.

HIPAA Training

Covers:

• What is HIPAA and who is a covered entity/business associate.

• PHI & identifiers: what information is protected.

• The Privacy Rule (minimum necessary, permitted uses/disclosures, NPP).

• The Security Rule: administrative, physical, and technical safeguards.

• Transactions & Code Set Rule; Unique Identifiers (NPI, EIN, etc.).

• Breach Notification Rule & 2013 Omnibus Rule obligations.

• Patient rights (access, amendment, accounting), role-based access.

• Common threats (phishing, ransomware, lost/stolen devices) & workforce responsibilities.

Who should take it: Anyone who creates, receives, maintains, or transmits PHI.

PCI DSS Training

Covers:

• What is PCI DSS and who must comply (merchants, service providers).

• Cardholder Data (CHD) vs. Sensitive Authentication Data (SAD); storage rules.

• Maintaining secure networks & systems (firewalls, secure configs, hardening).

• Protecting cardholder data (encryption in transit/at rest, key management, tokenization, PAN masking).

• Vulnerability management (patching, anti-malware, vulnerability scanning).

• Strong access control (least privilege, MFA, unique IDs).

• Monitoring & testing (logging, file-integrity monitoring, penetration testing).

• Security policy & awareness requirements.

• Example quiz topics: merchant levels (based on transaction volume/acquirer), prohibited data storage, SAQ types.

Who should take it: Anyone who handles payment card data or supports in-scope systems.

GDPR Training

Covers:

• What is GDPR and territorial scope.

• Personal data & special category data definitions with examples.

• The seven data protection principles (lawfulness/fairness/transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity & confidentiality; accountability).

• Lawful bases for processing & consent requirements.

• Data subject rights (DSARs): access, rectification, erasure, restriction, portability, objection.

• Data Protection Officers (DPOs) and governance responsibilities.

• Breach notification timelines (e.g., 72 hours) & administrative fines.

• International transfers (SCCs, adequacy) and safe handling/transfer of data.

Who should take it: Teams that collect or process EU residents’ personal data.

CCPA Training

Covers:

• Who the law applies to (business thresholds; California consumers).

• Consumer rights: know/access, delete, opt-out of sale/share, correct, limit use of sensitive personal information.

• Notice at collection and privacy policy disclosures.

• Do Not Sell/Share mechanisms and honoring Global Privacy Control (GPC) signals.

• Service provider/contractor obligations & data processing agreements.

• Non-discrimination, verification, response timelines, and record-keeping.

• Security expectations and breach liability (private right of action).

• Data mapping and retention considerations introduced by CPRA.

Who should take it: Privacy, support, marketing, product, and any teams handling California consumer requests.

Secure Code Training (PCI Secure Coding)

Covers:

• OWASP foundations and secure SDLC practices.

• Input validation & output encoding; SQL/NoSQL injection and XSS prevention.

• Authentication & authorization (password storage, session management, MFA).

• CSRF defenses and secure use of cookies.

• Cryptography basics (TLS, key management, secrets handling).

• Error handling & secure logging; avoiding sensitive data exposure.

• Dependency & supply-chain security (SCA, patching vulnerable libraries).

• Secure APIs (rate limiting, auth, schema validation) and file handling.

• Code review, threat modeling, SAST/DAST, CI/CD hardening, and DevSecOps handoffs.

• PCI DSS Requirement 6 awareness for developers.

Who should take it: Engineers, developers, QA, and code reviewers.

Handling CUI Training 

Covers:

• What CUI is and how the federal CUI Program defines, categorizes, and governs controlled unclassified information.
• Limited Dissemination Controls (LDC) — authorized restrictions on sharing and distributing CUI.
• CUI Cover Page requirements for documents containing controlled information.
• Marking emails that contain CUI, including subject line and body marking standards.
• Decontrolling CUI — when and how information loses its CUI designation.
• Access and dissemination rules — who can receive CUI and under what conditions.
• Knowledge check to validate understanding across all lesson topics.

Who should take it: Anyone who accesses, processes, creates, or handles Controlled Unclassified Information, including personnel supporting federal contracts or defense-related work.

Frequently Asked Questions (FAQ)

If I switch the training provider from ESET or another third-party training provider to Secureframe, will that prompt retraining for everyone?

• No. Switching the training provider from ESET or any other third-party provider to Secureframe's Free training does not reset or change existing training statuses. Users who have already completed their training will keep their completion records.

• If needed, Admins can still manually reset training for individual users or in bulk.