Staff awareness training is fundamental for effective information security management and for meeting regulatory and compliance requirements. In order for an organisation to comply with PCI DSS v3.0, Requirement 12.6, a formal security awareness programme must be implemented.
The PCI Security Standards Council (PCI SSC) has recently released its Information Supplement: Best Practices for Implementing a Security Awareness Program. This document provides a practical guide for developing a staff awareness programme and attempts to set minimum benchmarks for those with existing programmes.
Why is security awareness important?
The PCI SSC has confirmed the following:
“One of the biggest risks to an organisation’s information security is often not a weakness in the technology control environment. Rather it is the action or inaction by employees and other personnel that can lead to security incidents—for example, through disclosure of information that could be used in a social engineering attack, not reporting observed unusual activity, accessing sensitive information unrelated to the user’s role without following the proper procedures, and so on.”
The PCI SSC Best Practices for Implementing a Security Awareness Program outlines the following:
Organisational security awareness: A successful security awareness programme within an organisation may include assembling a security awareness team, role-based security awareness, metrics, appropriate training content and communication of security awareness within the organisation.
Security awareness content: A critical aspect of training is determining the type of content. Determining the different roles within an organisation is the first step to developing the appropriate type of content and will also help determine the information that should be included in the training.
Security awareness training checklist: Establishing a checklist may help an organisation when developing, monitoring and/or maintaining a security awareness training programme.
The most crucial aspect of this best practice is the identification and assignment of staff roles. Role-based security awareness provides organisations with a reference for training personnel at the appropriate levels based on their job functions. The PCI SSC recommends that a minimum of three roles are defined: specialist, management and all personnel. Building on a platform of a ‘minimum of security awareness’, the depth and complexity of training should increase as the level of risk increases with associated roles.
Examples of users in specialised roles may include those processing payment cards, writing applications that process payment cards, building databases to hold CHD, or designing and building networks that CHD traverses. Each of these specialised roles requires additional training and awareness to build and maintain a secure environment.
A full copy of the PCI SSC Best Practices for Implementing a Security Awareness Program can be downloaded from the PCI SSC website.
Security awareness may be delivered in many ways, including formal training, computer-based training, emails and circulars, memos, notices, bulletins and posters. Please see our comprehensive portfolio of Staff Awareness products, featuring our PCI DSS Staff Awareness Online Course, which can be customised to meet the requirements of all staff in an organisation.