One of the biggest weaknesses in information security today is the human aspect (the end user). Year after year we see new security controls, policies, and best practices put in place within organizations. Yet each year security breaches still take place. No one is immune, from small to large organizations, and no data breach is too small to make the news or be reported on sites like www.privacyrights.org. It only takes a simple mistake from an uneducated end user to leave an open door in your information security. We all have our information security threats. For example, John stores his password under his keyboard, Jane downloaded a “harmless” penguin game from a Russian website, Josh tossed a stack of medical records in the trash can at his deck, Jen received a call from an “IT Support Technician” and provided her password to the technician, etc. Most information security controls can be bypassed or subverted by careless or unaware end users. I have lost count of the number of times I have heard an end user state, “I had no idea that there was a policy on that.” Without educating your end users on your organization’s policies and information security posture, you are setting up your organization for a data breach. An effective information security awareness training is a vital part of your defense and your information security.
Is Information Security Awareness Training required for my organization? Yes and No. Your particular business and the data you handle will determine if you are required to have a form of awareness training for your employees or end users. Even if your company is not required to have an information security awareness training, it is best practice is to implement such a program anyway. Numerous laws, regulations, industry requirements and frameworks now require some form of an information security awareness training program. Just a few are listed here:
Health Insurance Portability & Accountability Act (HIPAA) §164.308.a.5.i states: Implement a security awareness and training program for all members of its workforce (including management)
Federal Information Security Management Act (FISMA) §3544.b.4 states: Securing awareness training to inform personnel, including contractors and other users of information systems that support the operations and assets of the agency, of information security risks associated with their activities; and their responsibilities in complying with agency policies and procedures designed to reduce these risks
Payment Card Industry Data Security Standard (PCI DSS) 12.6 states: Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security
The North American Electric Reliability Corporation Critical Infrastructure Protection Standard CIP-004-3.B.R1 states: The Responsible Entity shall establish, document, implement, and maintain a security awareness program to ensure personnel having authorized cyber or authorized unescorted physical access to Critical Cyber Assets receive on-going reinforcement in sound security practices
ISO 27002 8.2.2 states: All employees of the organization and, where relevant, contractors and third party users should receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function
COBIT DS7 states: Management of the process of educating and train users that satisfy the business requirement for IT of effectively and efficiently using applications and technology solutions and ensuring user compliance with policies and procedures