Awareness and Training

This policy applies to all employees and contractors.

Awareness means putting someone´s attention on security challenges. Training means giving people the right level of security skills for their job.

Awareness

At Rocket.Chat, we can build on a tech-savvy team that has a broad knowledge of security topics and specializations. Therefore we focus on raising an awareness on new things that happen. Goal: Keep all members of Rocket.Chat appraised of new and current developments in the security landscape

We count on the widely respected KnowBe4 platform, from Kevin Mitnick, to build our Security Awareness program. The program is focused on 2 main steps: training and security tests

Training

Goal

Provide all rocket.chat members with the security skills fitting to their job profile and career path

Basic Security training

We provide for every Rocketeer a Basic security awareness training that can be accessed in https://training.knowbe4.com, accessed using the corporate google account.

Content

The content of this training is cover many aspects about security threats that we may be target by, such as Email phishing, credentials compromising, network threats, etc..

What you should know about the Basic Security

  • It is mandatory for all Rocketeer, no exceptions.

  • It is required to finish them to keep your access to Rocket.Chat services, including Google Workspace, Jira, etc...

  • You have 30 days after you enrollment to finish the training

  • After the due date you may have your accesses suspended until you finish the mandatory training.

  • If you find any issue accessing or completing the security training, reach out to any security team member.

Additional trainings

We also provide additional security trainings specific for areas or sectors in the company, for example:

  • Secure coding and best practices for engineers and developers

  • C-level attacks awareness for high management

  • PII data handling to People and Data team

 

Security tests

We also perform periodically and unwarned internal security tests in order to assess the efficiency of the training and collect valuable metrics that help us to provide more suitable content for next trainings.

The tests may take the shape of a simulated phishing email, simulated SMS phishing or phone call.

How to report a phishing email

In rocket.chat we use a phishing report integration from KnowBe4, called Phish Alert Button. It is a orange hook add-on integrate with your corporate Gmail that is already pre-installed in every platform that you access your rocket.chat email.

Always use the integration to report suspected phishing email. If it a simulated email you will view a message congratulating your for finding out the simulated campaing. If it a potential real phishing email the email will be send to the security team for further analysis.