Editor’s Note: This news story is part of SearchSecurity.com's "Eye on" series that brings together various perspectives on security topics throughout the year from SearchSecurity and its sister sites. In the month of June the series examines CISO management issues.
Teaching employees to be aware of an organisation's security requirements can be one of the most effective ways to enhance the company's overall security programme. Such IT security awareness training is also a cornerstone of many regulations and standards, making employee compliance education not only worthwhile, but essential.
But where should an enterprise start when it comes to such trainings, particularly considering the multitude of regulations, standards and emerging security technologies to which organisations are beholden? To help answer that question, we've complied this IT security awareness training tutorial, which contains advice from recognised experts on how to conduct the trainings, and on what they should cover.
Employee information awareness training: PCI policy templates
To comply with PCI DSS — and keep cardholder data secure — organisations must train their employees on data handling best practices. This tip from PCI consultant and QSA Mathieu Gorge gives advice on what information you should be sure to convey to users, such as what in-scope staff need to know about handling CHD, as well as where and how they can report suspected incidents, to ensure they aren’t a gap in your PCI compliance efforts.
Information awareness training: Data Protection Act policy template
To comply with the Data Protection Act, an organisation's users must be fully informed about what they can and cannot do under DPA stipulations. This tip from from compliance and governance expert Alan Calder provides a list of answers to some of the most-asked questions regarding DPA compliance — including requirements for keeping personal data up to date, retaining log data, and protecting portable media — then gives advice on how to explain these DPA requirements to staff.
A social networking policy template for information awareness training
All organisations should have a policy to address inappropriate employee social networking, particularly considering the risk that unmonitored use of such sites can introduce. Expert Michael Cobb lays out a policy and employee training checklist covering the three main categories of social networking risk that organisations can use to instruct workers on the do's and don'ts of the social Web.