Editor’s Note: This news story is part of SearchSecurity.com's "Eye on" series that brings together various perspectives on security topics throughout the year from SearchSecurity and its sister sites. In the month of June the series examines CISO management issues.
Teaching employees to be aware of an organisation's security requirements can be one of the most effective ways to enhance the company's overall security programme. Such IT security awareness training is also a cornerstone of many regulations and standards, making employee compliance education not only worthwhile, but essential.
But where should an enterprise start when it comes to such trainings, particularly considering the multitude of regulations, standards and emerging security technologies to which organisations are beholden? To help answer that question, we've complied this IT security awareness training tutorial, which contains advice from recognised experts on how to conduct the trainings, and on what they should cover.
The following tips address security awareness training for the PCI Data Security Standard, the Data Protection Act (DPA) and the ever-growing realm of social networking.
Employee
information awareness training: PCI policy templates
To comply with PCI DSS — and keep cardholder data secure — organisations must train
their employees on data handling best practices. This tip from PCI consultant and QSA Mathieu
Gorge gives advice on what information you should be sure to convey to users, such as what in-scope
staff need to know about handling
CHD, as well as where and how they can report
suspected incidents, to ensure they aren’t a gap in your PCI compliance efforts.
Information
awareness training: Data Protection Act policy template
To comply with the Data Protection Act, an organisation's users must be fully informed about what
they can and cannot do under DPA stipulations. This tip from from compliance and governance expert
Alan Calder provides a list of answers to some of the most-asked questions regarding DPA compliance
— including requirements for keeping personal data up to date, retaining log
data, and protecting
portable media — then gives advice on how to explain
these DPA requirements to staff.
A
social networking policy template for information awareness training
All organisations should have a policy to address inappropriate
employee social networking, particularly considering the risk that unmonitored use of such
sites can introduce. Expert Michael Cobb lays out a policy
and employee training checklist covering the three main categories of social
networking risk that organisations can use to instruct workers on the do's and don'ts of the
social Web.
Email Alerts
This was first published in June 2011
