If you are looking forward towards easiest explanation on what Security Awareness Training programs you should incorporate and at what level, your quest is complete and look no further.
Although it is very important to train employees on best security practices and procedures, many organizations turn a deaf ear towards it and once they get breached or their compliance is revoked, they understand necessity and significance of security awareness training.
For any personnel who is responsible for planning and executing security awareness training activities on corporate level from PCI-DSS, SSAE 18, ISO 27001 etc. compliance, conducting security awareness training and collecting relevant evidences at lest annually is a very crucial thing. Following is the road-map on how one should go ahead with this planning.
- Security awareness training program should include assembling a security awareness team, role-based security awareness, metrics, appropriate training content, and communication of security awareness within the organization.
- Protecting cardholders data (also Experian Data from EI3PA perspective) should form part of any organization-wide information security awareness program.
- There should be training and awareness not only to build but also to maintain a secure environment.
Training needs to be provided to employees for understanding PCI_DSS-SOC-EI3PA, secure password practices, avoiding social engineering, avoiding malicious downloads, etc.
- Training medium may consist of but is not limited to Classroom Training, Computer Based Training, Posters, Newsletters, Emails, Wallpapers-Screen saver, Security Team Branding & Prizes to employees who value organization security & practices.
- There should be departmental Security Awareness Training and role based security training which will ensure all employees underwent all relevant trainings.
- Developers & Quality Assurance staff should be equipped with OWASP TOP 10, SANS 25 without fail.
- Employees who have access to sensitive data should be trained for handling and communicating it securely.
- IT Team members should be trained for Security Misconfiguration, Incident Handling Processes etc.
Following are the details of recommended reference materials which can be used.
- National Institute of Standards and Technology (NIST) Special Publication 800-50, Building an Information Technology Security Awareness and Training Program, http://www.nist.gov
- International Standards Organization (ISO) 27002:2013, Information technology — Security techniques — Code of practice for information security controls, http://www.iso.org
- International Standards Organization (ISO) 27001:2013, Information technology — Security techniques — Information security management systems, http://www.iso.org
- COBIT 5 Appendix F.2, Detailed Guidance: Services, Infrastructure and Applications Enabler, Security Awareness, http://www.isaca.org/cobit
Personally, I’d recommend you should go with the SANS- Securing the Human Project which has vast area of training videos at significantly least prizes and with all ready to go evidences which you’d be needing for audit purpose.
Another smart way will be routing employees to selective videos on YouTube and later conduct a test on what they’ve learned for evidences. Significantly cheap isn’t it?
On closing note I’d like to ping back to the original guidelines put forward by PCI-SSC for implementing Security Awareness Training Program for further reference.
That’s all for now, more detailed article will be forthcoming. Feel free to share/comment/re-blog and/or ask questions.
Viva La Security and have a Security Perspective !!