Security Awareness Training & Compliance Requirements
Roger Murray
VP of Product & Marketing | Building Future-Ready Companies through Data, Tech, & Strategic Marketing
Did you know there are over 8,500 different Local, State, and Federal standards & requirements your organization may be required to comply with? This staggering number can come as a surprise to many. That’s why we’ve taken the time to compile a list of the most common standards which may require your organization to implement a security awareness program.
Does Your Business Accept Credit Cards?
If so, you are required by law to comply with PCI security standards. PCI DSS applies to any business that processes credit cards or any other form of electronic payment. Standards include educating employees on the importance of cardholder information security. It also requires employees to acknowledge in writing that they have read and understood the company’s security policy and procedures. Note, you should already have a written security and procedure policy for your organization. You can learn more about security standards here.
Is Your Company Public?
The Sarbanes-Oxley Act, also known as the “Public Company Accounting Reform & Investor Protection Act” was established to set and expand requirements for all U.S. publicly traded companies. Rules include every annual report to contain an internal control report – which shall state the responsibility of management for developing and maintaining adequate internal control structure & procedures for financial reporting. Even if you are planning to go public sometime in the future, start working on a security awareness training plan now.
Are You In The Healthcare Sector?
For organizations within the healthcare sector, the Health Insurance Portability & Accountability Act or HIPAA as it is more commonly known, is a very important rule that affects the way you store & protect patient information. HIPAA requires the implementation of a security awareness and training program for all your workforce, including consultants. Learn more here.
Other Noteworthy Governance…
ISO/IEC 27001 & 27002 – Requires that all employees of an organization, as well as contractors or third party users, should receive awareness training & regular updates in organizational policies, as relevant to their job function.
FACTA – FTC Red Flags Rule – Under FACTA, which is an amendment to the Fair Credit Reporting Acts, the FTC created the Red Flags Rule. The ruling requires training as part of an Identity Theft Prevention Program. 16 CFR 681.1: Employees should be trained about the various red flags to look out for, and/or any other relevant aspect of the organization’s Identity Theft Prevention Program.
Gramm-Leach Bliley Act – 6801.(b).(1)-(3) In furtherance of the policy in subsection (a) of this section, each agency or authority described in section 6805(a) if this title shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical & physical safeguards:
- To insure the security and confidentiality of consumer records & information
- To protect against any anticipated threats or hazards to the security or integrity of such records
- To protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer
CobiT – PO7.4 Provide IT employees with appropriate orientation when hired and ongoing training to maintain their knowledge, skills, abilities, internal controls, and security awareness as the level required to achieve organizational goals. Section DS7 Management of the process to educate and train users that satisfies the business requirement for IT of effectively and efficiently using application and technology solutions and ensuring user compliance with policies and procedures is defined when a training and education program is instituted and communicated, and employees and managers identify and document training needs. Training and education processes are standardized and documented. Budgets, resources, facilities, and trainers are being established to support the training and education program. Formal classes are given to employees on ethical conduct and system awareness and practices. Most training and education processes are monitored, but not all deviations are likely to be detected by management. Analysis of training and education problems is only occasionally applied.
Federal Information Security Management Act (FISMA) – 3544.(b).(4).(A).(B) Securing awareness training is required to inform personnel, including contractors and other users of information systems on how to support the operations and assets of the agency, of information security risks associated with their activities; and their responsibilities in complying with agency policies and procedures designed to reduce these risks.
US State Specific Privacy Laws
Many states in the U.S. have their own privacy laws. For example, one of the most robust privacy laws is here in the state of Massachusetts. 201 CMR 17.03 – the Massachusetts privacy law mandates training to maintain a comprehensive information security program. The training must focus on reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper, or other records containing personal information. Training must be ongoing and must be given for not only permanent employees but also temporary or contract employees.