Identify compliance or audit standards that your organization must adhere to. Identify security awareness requirements for those standards. Identify training methods to meet tho

Security Awareness Compliance Requirements Updated: 11 October, 2017

SANS MGT433 – https://securingthehuman.sans.org

Executive Summary The purpose of this document is to identify different standards and regulations that require security awareness programs.

ISO/IEC 27001 and 27002 8.2.2: All employees of the organization and, where relevant, contractors and third-party users should receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function.

Learn more at: http://www.iso.org/iso/home/standards/management- standards/iso27001.htm

PCI DSS 12.6: Make all employees aware of the importance of cardholder information security.

• Educate employees (for example, through posters, letters, memos, meetings, and promotions).

• Require employees to acknowledge in writing that they have read and understand the company’s security policy and procedures.

Download the PCI DSS standard at: https://www.pcisecuritystandards.org/document_library

Download the PCI DSS Security Awareness Program Guidelines at: https://www.pcisecuritystandards.org/documents/PCI_DSS_V1.0_Best_Practices_for_Imple menting_Security_Awareness_Program.pdf

SANS MGT433 – https://securingthehuman.sans.org

Federal Information Security Management Act (FISMA) §3544.(b).(4).(A),(B): Securing awareness training to inform personnel, including contractors and other users of information systems that support the operations and assets of the agency, of information security risks associated with their activities and their responsibilities in complying with agency policies and procedures designed to reduce these risks.

Learn more at: http://www.dhs.gov/fisma

Gramm-Leach Bliley Act The Safeguards Rule requires companies to assess and address the risks to customer information in all areas of their operation, including three areas that are particularly important to information security: Employee Management and Training; Information Systems; and Detecting and Managing System Failures. Depending on the nature of their business operations, firms should consider implementing the following practices: Employee Management and Training. The success of your information security plan depends largely on the employees who implement it.

GLBA Overview: https://www.ftc.gov/tips-advice/business-center/privacy-and- security/gramm-leach-bliley-act

Safeguards Rule: https://www.ftc.gov/tips-advice/business-center/guidance/financial- institutions-customer-information-complying

Health Insurance Portability and Accountability Act (HIPAA) §164.308.(a).(5).(i): Implement a security awareness and training program for all members of its workforce (including management).

Learn more at: http://www.hhs.gov/hipaa/for-professionals/index.html

SANS MGT433 – https://securingthehuman.sans.org

Red Flags Rule §16 CFR 681.1(d)-(e): Employees should be trained about the various red flags to look for and any other relevant aspect of the organization’s Identity Theft Prevention Program.

Learn more at: https://www.ftc.gov/tips-advice/business-center/privacy-and-security/red- flags-rule

NERC CIP The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection Standard. CIP-004-5.1 R1 – Each Responsible Entity shall implement one or more documented processes that collectively include security awareness that, at least once each calendar quarter, reinforces cyber security practices (which may include associated physical security practices) for the Responsible Entity’s personnel who have authorized electronic or authorized unescorted physical access to BES Cyber Systems.

Learn more at: http://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx

CobiT PO7.4 Personnel Training: Provide IT employees with appropriate orientation when hired and ongoing training to maintain their knowledge, skills, abilities, internal controls, and security awareness at the level required to achieve organizational goals.

§DS7: Management of the process of educate and train users that satisfies the business requirement for IT of effectively and efficiently using applications and technology solutions and ensuring user compliance with policies and procedures is: […] 3 Defined when a training and education program is instituted and communicated, and employees and managers identify and document training needs. Training and education processes are standardized and documented. Budgets, resources, facilities, and trainers are established to support the training and education program. Formal classes are given to employees on ethical conduct and system security awareness and practices. Most training and education processes are monitored, but not all deviations are likely to be detected by management. Analysis of training and education problems is applied only occasionally,

Learn more at: https://cobitonline.isaca.org/

SANS MGT433 – https://securingthehuman.sans.org

U.S. State Privacy Laws Many states in the United States have individual privacy laws. You can find a listing of most of those state privacy laws at the Morrison & Foerster's Privacy Library. Many of these privacy laws require some type of awareness training or at a minimum that the privacy requirements are communicated to employees in that state.

Learn more at: https://www.mofo.com/privacy-library

General Data Protection Regulation (GDPR) The General Data Protection Regulation (GDPR) is the latest data security legislation in the European Union, it takes effect 25 May, 2018. The European Union has directed all European member countries to develop and define laws regarding the protecting of personal privacy of the citizens of their respective country. This regulation has specific requirements for data breach notification (within 72 hours) and fines up to 4% of the organization’s global revenues. Although each country’s implementation of this regulation is different and unique, the regulation does require a security awareness program. Under Article 39:

The data protection officer shall have at least the following tasks: … (b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits; …"

Learn more at: http://www.eugdpr.org

Australian Government InfoSec Manual §0252: Information security awareness and training: Revision: 2; Updated: Nov-10; Applicability: U, IC, R/P, C, S/HP, TS; Compliance: must

Agencies must provide ongoing information security awareness and training for personnel

on information security policies including topics such as responsibilities, consequences of

noncompliance, and potential security risks and countermeasures.

Download the manual at: http://www.asd.gov.au/infosec/ism

SANS MGT433 – https://securingthehuman.sans.org

PAS555 Cyber Security Risk: Governance and Management PAS 555 is a UK standard that offers a framework that defines the outcome of good cyber

security practice. It extends beyond the technical aspects of cyber security risk to

encompass physical and people (behavioral) security aspects as well.

Clause 4: Commitment to a Cyber Security Culture: The organization's top management

shall define and demonstrate how it engenders a culture of cyber security within the

organization. (Note: A cyber security culture is one in which values, attitudes, and behaviors

are the foundation of day-to-day life in the organization. It is one where being careless

about (cyber) security is not acceptable. It is recognized that it takes time to achieve a

culture change and cannot be immediate.)

Clause 7: Capability Development Strategy: The organization shall have cyber security

awareness programs, training, and development so that all individuals in the extended

enterprise have the awareness and competence to fulfill their cyber security role and

contribute to an effective cyber security culture.

Learn more at http://shop.bsigroup.com/en/ProductDetail/?pid=000000000030261972

Standard: PCI Data Security Standard (PCI DSS)

Version: 1.0

Date: October 2014

Author: Security Awareness Program Special Interest Group

PCI Security Standards Council

Information Supplement:

Best Practices for Implementing a Security Awareness Program

The intent of this document is to provide supplemental information. Information provided here does not replace or supersede requirements in any PCI SSC Standard.

ii

Information Supplement • Best Practices for Implementing a Security Awareness Program • October 2014

Table of Contents

1 Introduction………………………………………………………………………………………………………………………………….. 1

1.1 Importance of Security Awareness ………………………………………………………………………………………………… 1

1.2 Intended Audience ………………………………………………………………………………………………………………………. 2

1.3 Terminology ……………………………………………………………………………………………………………………………….. 2

2 Best Practices in Organizational Security Awareness ……………………………………………………………………. 3

2.1 Assemble the Security Awareness Team ……………………………………………………………………………………….. 3

2.2 Determine Roles for Security Awareness ……………………………………………………………………………………….. 3

2.2.1 Identify levels of responsibility …………………………………………………………………………………………………. 3

2.2.2 Establish Minimum Security Awareness …………………………………………………………………………………… 4

2.2.3 Determine the content of training and applicability based on PCI DSS …………………………………………. 5

2.3 Security Awareness throughout the Organization ……………………………………………………………………………. 5

3 Security Awareness Training Content …………………………………………………………………………………………… 7

3.1 All Personnel………………………………………………………………………………………………………………………………. 8

3.2 Management ………………………………………………………………………………………………………………………………. 9

3.3 Specialized Roles ……………………………………………………………………………………………………………………….. 9

3.3.1 Cashier/Accounting Staff ………………………………………………………………………………………………………. 10

3.3.2 Procurement Team ………………………………………………………………………………………………………………. 10

3.3.3 IT Administrators and Developers ………………………………………………………………………………………….. 10

3.4 Define Metrics to Assess Awareness Training ………………………………………………………………………………. 11

4 Security Awareness Program Checklist ………………………………………………………………………………………. 12

Appendix A: Sample Mapping of PCI DSS Requirements to Different Roles, Materials and Metrics ……….. 13

Appendix B: Security Awareness Program Record ………………………………………………………………………………. 20

Acknowledgements …………………………………………………………………………………………………………………………….. 24

The intent of this document is to provide supplemental information. Information provided here does not replace or supersede requirements in any PCI SSC Standard.

1

Information Supplement • Best Practices for Implementing a Security Awareness Program • October 2014

1 Introduction

In order for an organization to comply with PCI DSS Requirement 12.6, a formal security awareness program

must be in place. There are many aspects to consider when meeting this requirement to develop or revitalize

such a program. The best practices included in this information supplement are intended to be a starting point

for organizations without a program in place, or as a minimum benchmark for those with existing programs

that require revisions to:

 Meet PCI DSS requirements;

 Address the quickly and ever-changing data security threat environment;

 Reinforce the organization’s business culture.

Establishing and maintaining information-security awareness through a security awareness program is vital to

an organization’s progress and success. A robust and properly implemented security awareness program

assists the organization with the education, monitoring, and ongoing maintenance of security awareness

within the organization.

This guidance focuses primarily on the following best practices:

 Organizational Security Awareness: A successful security awareness program within an organization

may include assembling a security awareness team, role-based security awareness, metrics,

appropriate training content, and communication of security awareness within the organization.

 Security Awareness Content: A critical aspect of training is the determination of the type of content.

Determining the different roles within an organization is the first step to developing the appropriate type

of content and will also help determine the information that should be included in the training.

 Security Awareness Training Checklist: Establishing a checklist may help an organization when

developing, monitoring, and/or maintaining a security awareness training program.

The information in this document is intended as supplemental guidance and does not supersede, replace, or

extend PCI DSS requirements. While all references made in this document are to PCI DSS version 3.0, the

general principles and practices offered here may be applied to any version of PCI DSS.

1.1 Importance of Security Awareness

One of the biggest risks to an organization’s information security is often not a weakness in the technology

control environment. Rather it is the action or inaction by employees and other personnel that can lead to

security incidents—for example, through disclosure of information that could be used in a social engineering

attack, not reporting observed unusual activity, accessing sensitive information unrelated to the user’s role

without following the proper procedures, and so on. It is therefore vital that organizations have a security

awareness program in place to ensure employees are aware of the importance of protecting sensitive

information, what they should do to handle information securely, and the risks of mishandling information.

Employees’ understanding of the organizational and personal consequences of mishandling sensitive

information is crucial to an organization’s success. Examples of potential consequences may include

The intent of this document is to provide supplemental information. Information provided here does not replace or supersede requirements in any PCI SSC Standard.

2

Information Supplement • Best Practices for Implementing a Security Awareness Program • October 2014

penalties levied against the organization, reputational harm to the organization and employees, and impact to

an employee’s job. It is important to put potential organizational harm into perspective for personnel, detailing

how such damage to the organization can affect their own roles.

1.2 Intended Audience

This guidance is intended for any organization required to meet PCI DSS Requirement 12.6 to implement a

formal security awareness program within their organization. The guidance is applicable to organizations of all

sizes, budgets, and industries.

1.3 Terminology

Data Loss Prevention (DLP) Scanning: A process of monitoring and preventing sensitive data from leaving

a company environment.

Phishing: A form of social engineering where an attempt to acquire sensitive information (for example,

passwords, usernames, payment card details) from an individual through e-mail, chat, or other means. The

perpetrator often pretends to be someone trustworthy or known to the individual.

Privileged Access: Users who generally have elevated rights or access above that of a general user.

Typically, privileged access is given to those users who need to perform administrative-level functions or

access sensitive data, which may include access to cardholder data (CHD). Privileged Access may

encompass physical and/or logical access.

Social Engineering: As defined by (ISC) 2 : An attack based on deceiving users or administrators at the target

site—for example, a person who illegally enters computer systems by persuading an authorized person to

reveal IDs, passwords, and other confidential information.

The intent of this document is to provide supplemental information. Information provided here does not replace or supersede requirements in any PCI SSC Standard.

3

Information Supplement • Best Practices for Implementing a Security Awareness Program • October 2014

2 Best Practices in Organizational Security Awareness

Security awareness should be conducted as an on-going program to ensure that training and knowledge is

not just delivered as an annual activity, rather it is used to maintain a high level of security awareness on a

daily basis.

Protecting cardholder data (CHD) should form part of any organization-wide information security awareness

program. Ensuring staff is aware of the importance of cardholder data security is important to the success of a

security awareness program and will assist in meeting PCI DSS Requirement 12.6.

2.1 Assemble the Security Awareness Team

The first step in the development of a formal security awareness program is assembling a security awareness

team. This team is responsible for the development, delivery, and maintenance of the security awareness

program. It is recommended the team be staffed with personnel from different areas of the organization, with

differing responsibilities representing a cross-section of the organization. Having a team in place will help

ensure the success of the security awareness program through assignment of responsibility for the program.

The size and membership of the security awareness team will depend on the specific needs of each

organization and its culture.

2.2 Determine Roles for Security Awareness

Role-based security awareness provides organizations a reference for training personnel at the appropriate

levels based on their job functions. The training can be expanded upon—and subject areas combined or

removed—according to the levels of responsibility and roles defined in the organization. The goal is to build a

reference catalogue of various types and depths of training to help organizations deliver the right training to

the right people at the right time. Doing so will improve an organization’s security as well as help maintain PCI

DSS compliance. Whether the focus is a singular, holistic, or a tiered approach, the content can be scoped to

meet an organization’s requirements.

All types of roles may not apply to all organizations, and some roles may need to be divided into subsections

to align with responsibilities. This can be modified according to the requirements of the organization.

2.2.1 Identify levels of responsibility

The first task when scoping a role-based security awareness program is to group individuals according

to their roles (job functions) within the organization. A simplified concept of this is shown in Figure 1 on

the following page.

The intent of this document is to provide supplemental information. Information provided here does not replace or supersede requirements in any PCI SSC Standard.

4

Information Supplement • Best Practices for Implementing a Security Awareness Program • October 2014

Figure 1: Security Awareness Roles for Organizations

The diagram above identifies three types of roles, All Personnel, Specialized Roles, and

Management. A solid awareness program will help All Personnel recognize threats, see security as

beneficial enough to make it a habit at work and at home, and feel comfortable reporting potential

security issues. This group of users should be aware of the sensitivity of payment card data even if their

day-to-day responsibilities do not involve working with payment card data.

Additional training for those in Specialized Roles should focus on the individual’s obligation to follow

secure procedures for handling sensitive information and recognize the associated risks if privileged

access is misused. Examples of users in this category may include those processing payment cards,

writing applications that process payment cards, building databases to hold CHD, or designing and

building networks that CHD traverses. Each of these specialized roles requires additional training and

awareness to build and maintain a secure environment. Additionally, specific training may be required to

include understanding of PCI DSS and PA-DSS requirements.

Management has additional training needs that may differ from the two previous areas. Management

needs to understand the organization’s security policy and security requirements enough to discuss and

positively reinforce the message to staff, encourage staff awareness, and recognize and address

security related issues should they occur. The security awareness level of management may also need

to include an overall understanding of how the different areas fit together. Accordingly, managers of staff

with privileged access should have a solid understanding of the security requirements of their staff,

especially those with access to sensitive data. Management training will also help with decisions for

protecting the organization’s information.

2.2.2 Establish Minimum Security Awareness

Establishing a minimum awareness level for all personnel can be the base of the security awareness

program. Security awareness may be delivered in many ways, including formal training, computer-based

training, e-mails and circulars, memos, notices, bulletins, posters, etc. The security awareness program

The intent of this document is to provide supplemental information. Information provided here does not replace or supersede requirements in any PCI SSC Standard.

5

Information Supplement • Best Practices for Implementing a Security Awareness Program • October 2014

should be delivered in a way that fits the overall culture of the organization and has the most impact to

personnel.

The following diagram depicts how the depth of awareness training should increase as the level of risk

associated with different roles.

Figure 2: Depth of Security Awareness Training

2.2.3 Determine the content of training and applicability based on PCI DSS

Training content can be broken down further to map to applicable PCI DSS requirements. Appendix A

contains a chart listing the high-level requirements of PCI DSS, with examples of roles listed that may

need security awareness training in these control areas. Section 3, Security Awareness Training

Content, contains further information related to training content for the different levels within an

organization.

2.3 Security Awareness throughout the Organization

The key to an effective security awareness program is in targeting the delivery of relevant material to the

appropriate audience in a timely and efficient manner. To be effective, the communication channel should

also fit the organization’s culture. By disseminating security awareness training via multiple communication

channels, the organization ensures that personnel are exposed to the same information multiple times in

different ways. This greatly improves how people remember the information presented to them. Content may

need to be adapted depending on the communication channel—for example, the content in an electronic

bulletin may be different than content in an instructor-led training seminar, even though both have the same

underlying message. The communication channel used should match the audience receiving the training

content and the type of content, as well as the content itself.

The intent of this document is to provide supplemental information. Information provided here does not replace or supersede requirements in any PCI SSC Standard.

6

Information Supplement • Best Practices for Implementing a Security Awareness Program • October 2014

Electronic communication methods can include e-mail notifications, eLearning, internal social media, etc. It is

important to target electronic security awareness notifications to the appropriate audience to ensure the

information is read and understood. It is easier for electronic notifications to go unread or ignored by busy

personnel. By targeting the material and communication channel to relevant personnel, the security

awareness team can improve adoption of the security awareness program.

Non-electronic notifications may include posters, internal mailers, newsletters, and instructor-led training

events. In-person security awareness events that involve active participation by personnel can be extremely

effective. Audience size in an instructor-led presentation is important: the larger the group, the greater risk

that content may not be communicated effectively, as individuals may lose focus on the material presented if

they do not feel engaged. Including activities that engage the audience, such as scenario-based activities,

helps ensure the concepts are understood and remembered. For example, a structured social-engineering

exercise will teach personnel quickly how to identify a social-engineering attack and react appropriately.

Internal seminars, training provided during lunch breaks (commonly called “lunch-and-learns” or “brown bag”),

and employee social events are also great opportunities for the security awareness team to interact with

personnel and introduce security concepts. Appendix B provides a list of the common methods to

communicate security awareness throughout the organization.

It is recommended that communication of security awareness be included in new-hire processes, as well as

role changes for existing personnel. Security awareness training may be combined with other organizational

requirements, such as confidentiality and ethics agreements. Each job position in the organization should be

identified based on level of data access required. See Section 2.2, Determine Roles for Security Awareness,

for more information. To ensure that the security awareness team is notified whenever a role identified as

needing security awareness is filled, it is recommended this step be included in the process for all new-

hire/re-classifications. Inclusion in the new-hire/re-classification process ensures the overall training goals are

promoted without reliance on individual organizational units.

Management leadership and support for the security awareness program is crucial to its successful adoption

by staff. Managers are encouraged to:

 Actively encourage personnel to participate and uphold the security awareness principles.

 Model the appropriate security awareness approach to reinforce the learning obtained from the

program.

 Include security awareness metrics into management and staff performance reviews.

The intent of this document is to provide supplemental information. Information provided here does not replace or supersede requirements in any PCI SSC Standard.

7

Information Supplement • Best Practices for Implementing a Security Awareness Program • October 2014

3 Security Awareness Training Content

As discussed in Section 2.2, Determining Roles of Security Awareness, it is recommended training content be

determined based on the role and the organization’s culture. The security awareness team may wish to

coordinate with the appropriate organizational units to classify each role in order to determine the level of

security awareness training required for those specific job duties. This is vital in development of content, as it

is just as easy to “over-train” an employee as it is to “under-train” an employee. In both cases, if information i

Collepals.com Plagiarism Free Papers

Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.

Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS

Why Hire Collepals.com writers to do your paper?

Quality- We are experienced and have access to ample research materials.

We write plagiarism Free Content

Confidential- We never share or sell your personal information to third parties.

Support-Chat with us today! We are always waiting to answer all your questions.