This article brings together common customer questions and practical answers based on typical Secureframe workflows, compliance situations and unique tech stacks.

It is meant as quick reference material for day-to-day use of the product.

Awareness and training programs

Does Secureframe’s free cybersecurity training satisfy compliance requirements for both onboarding and recurring training?

• Yes, our training satisfies compliance requirements for both onboarding and recurring security awareness training—even though it is free. It is designed to meet the standards for frameworks like SOC 2, ISO 27001, HIPAA, and others.

How do I switch from ESET to Secureframe Security Training?

• 1. Go to the Personnel section.
  2. Click the gear icon (⚙️) to open Settings.
  3. Select the Onboarding tab.
  4. Scroll down to the Training section.
  5. Under the Vendor dropdown, select Secureframe instead of ESET.
  

  This will assign Secureframe's built-in training to new users during onboarding.

How often should the security awareness program be reviewed?

• The security awareness program should be reviewed at least once every 12 months.

If a company requires employees to complete security training annually, how would they set that (reopen, invite etc.) in our app?

• The employee will receive an email notification when their training expires, and the task will become incomplete again in their onboarding flow.

If we have Contractors that are In-Scope, do they need to complete the Security training?

• All active employees and any contractors with access to customer data or production must complete the employee onboarding process, including accepting company policies, completing security training, and undergoing background checks.

Is annual security awareness training conducted for employees?

• Employees receive notifications (emails) when their training expires, prompting them to complete it again in their onboarding flow.

Is ESET Security Training still available?

• Yes, but it is no longer the recommended option. You can still choose ESET as the vendor in the onboarding settings, but we strongly encourage using Secureframe's built-in training for a smoother experience.

What else should security awareness training include awareness about?

• Security awareness training should include awareness about the acceptable use of end-user technologies in accordance with Requirement 12.2.1.

What is ESET Security Training, and why was it used before?

• ESET Security Training was previously the default free vendor provided by Secureframe to satisfy compliance requirements for Security Awareness Training. It required users to create an account and verify their email. However, many users experienced issues accessing or completing the training.

What methods of communication should be used in the security awareness program?

• Multiple methods of communication should be used.

What should security awareness training include awareness of?

• Security awareness training should include awareness of threats and vulnerabilities that could impact the security of cardholder data and/or sensitive authentication data, including phishing and related attacks and social engineering.

When else should the security awareness program be updated?

• The security awareness program should be updated as needed to address any new threats and vulnerabilities that may impact the security of the entity’s cardholder data and/or sensitive authentication data, or the information provided to personnel about their role in protecting cardholder data.

Where can I find additional guidance on implementing a security awareness program?

• For additional guidance, refer to [Information Supplement: Best Practices for Implementing a Security Awareness Program](https://pcisecuritystandards.org/).

  Relevant links:
  - https://pcisecuritystandards.org/).
  - https://pcisecuritystandards.org/

Modules and completion

How are Secureframe compliance training modules graded or scored?

• Our training modules are not scored. Instead, they are designed to ensure you arrive at the correct answers before completion. After you watch the training video, you’ll be prompted with questions:

  Incorrect answers will be crossed out, and the dot next to the question will turn red.

  Once you select the correct answer, the dot will turn green.

  This approach makes sure every learner finishes the module with all correct answers.

Phishing simulations

How do attackers typically disguise themselves in phishing attacks?

• ttackers will typically disguise themselves and attempt to appear as a genuine or trusted source, directing personnel to send an email response, click on a web link, or enter data into a compromised website.

What approaches should entities consider when developing anti-phishing controls?

• When developing anti-phishing controls, entities are encouraged to consider a combination of approaches.

Where can I find guidance on technical and automated controls to detect and protect users from phishing attacks?

• See Requirement 5.4.1 for guidance on the difference between technical and automated controls to detect and protect users from phishing attacks.

Where can more information about phishing be found?

• See the following for more information about phishing: National Cyber Security Centre - Phishing Attacks: Defending your Organization (No valid URL provided) and US Cybersecurity & Infrastructure Security Agency - Report Phishing Sites (No valid URL provided).

Where should anti- phishing controls be applied?

• It is recommended (but not required) that anti- phishing controls are applied across an entity’s entire organization.

Why are technical controls important in preventing phishing attacks?

• Technical controls can limit the number of occasions personnel have to evaluate the veracity of a communication and can also limit the effects of individual responses to phishing.

Additional customer questions

How to reflect that alternative training is being completed outside of Secureframe?

• Admins need to go into Personnel settings and switch the training provider to Other (Third Party). This will require employees to upload proof of training.

Does Secureframe offer training that meets California AB 1825 (Sexual Harassment Prevention Training)?

Currently, Secureframe does not offer AB 1825-compliant sexual harassment prevention training. We recommend sourcing a dedicated training provider that specializes in anti-discrimination and harassment compliance for California law.

Does Secureframe’s training meet compliance requirements?

Yes, Secureframe’s training is designed to meet industry-standard compliance requirements for Security Awareness Training, including SOC 2, ISO 27001, and HIPAA.

How does Secureframe automate training?

Secureframe provides built-in training content, tracks completion, and ensures compliance with framework requirements.

How does Secureframe streamline training compliance?

Secureframe provides built-in training content, tracks completion against compliance requirements, and eliminates the need for third-party training platforms like KnowBe4.

Why does Secureframe recommend switching from ESET to Secureframe Training?

Secureframe now offers its own built-in Security Awareness Training that is easier to access, requires no external login, and is free for all customers. We recommend using Secureframe's training to streamline onboarding and avoid issues seen with the ESET integration.

Are Secureframe's training videos available in multiple languages?

Yes! All of Secureframe’s training videos now include auto-generated subtitles in multiple languages to support global teams.

You can enable subtitles in:

English (auto-generated and CC)

Español (Spanish)

Français (French)

Deutsch (German)

Italiano (Italian)

This applies to the following training modules:

Security Awareness Training

HIPAA Training

PCI Training

GDPR Training

CCPA Training

Secure Code Training

To turn on subtitles, simply click the CC icon on the video player and select your preferred language.

We are looking at using a new vendor that has not undergone any sort of SOC-2 certification. We will not be sharing anything sensitive in the course content we'd be sending, so it seems like it should be okay?

I would recommend doing a quick vendor assessment in the Secureframe platform to determine if this vendor is low, medium, or high risk. You can get the answer quickly by filling out a 5-6 question assessment. If they are low or medium risk, there would be no issue for SOC 2. If they are high, additional due diligence is needed.