Security Awareness Blog

Standards Requiring Security Awareness Training

Folks, as you may have noticed we have been adding a tremendous number of new resources to our Security Awareness Resources section on the Securing The Human Website. A new page we will be adding soon is on "Business Justification", providing you the resources you need to get management support AND funding for your awareness program. One of the first documents I'm creating is a list of all standards and regulations that require security awareness training. While compliance is not the only reason for awareness training, it can be a good place to start to get management buy-in. However, I need your help. There are many standards I may not be aware of, especially international ones. If you have a moment, please download a draft copy of "Standards That Require Security Awareness Training". If you have a moment, please review the document and let me know what standards or regulations I'm missing or if there is anything we can do to improve the existing documentation, such as quoting more relevant sections from regulations. Once we have your input, we will make this document free for public use. Thanks!

6 Comments

Posted June 18, 2011 at 4:47 AM | Permalink | Reply

Osama Salah

ISO 27002 8.2.2 Information security awareness, education, and training
Control
All employees of the organization and, where relevant, contractors and third party users should
receive appropriate awareness training and regular updates in organizational policies and procedures,
as relevant for their job function.
ISO 27001 5.2.2 Training, Awareness and competence
One could argue that any standard requiring you to do a risk assessment and treatment would need you to some degree to address security awareness.

Posted June 19, 2011 at 6:51 PM | Permalink | Reply

lspitzner

Perfect, just added this to the document thanks so much!
lance

Posted June 20, 2011 at 6:46 PM | Permalink | Reply

Girard

Some other standards to consider:
CobiT 4.1:
PO6 Communicate Management Aims and Direction
Security Awareness is specificially mentioned in the maturity model for meeting this control requirement.
PO7.4 Personnel Training
Provide IT employees with appropriate orientation when hired and ongoing training to maintain their knowledge, skills, abilities,
internal controls and security awareness at the level required to achieve organisational goals.
DS5 Ensure Systems Security (maturity model for this control)
DS7 Educate and Train Users (maturity model for this control)
''"-
NIST 800-53
AT-1 SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES
AT-2 SECURITY AWARENESS

Posted June 20, 2011 at 9:06 PM | Permalink | Reply

lspitzner

This is great stuff, I'm definitely adding to the document. Also adding EU Privacy Directive, hope to have this all ready by the end of the week

Posted June 23, 2011 at 4:31 PM | Permalink | Reply

SarahB

I think several state breach notification laws have requirements, but I'll just quote Massachusetts 201 CMR 17.00 which says:
17.03 Dute to Protect and Standards for Protecting Personal Information
(2)(b)"''evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, including but not limited to:
1. ongoing employee (including temporary and contract employee) training; ''."

Posted June 23, 2011 at 5:21 PM | Permalink | Reply

lspitzner

Sarah, great catch thanks so much! However I'm holding off listing regulations for individual states simply because it would be overwhelming. Instead I'm providing links and references that have more information on all fifty states privacy laws. For example, in the document we have the reference below. If you have a suggestion on a resource that provides more details on state breach notification laws for all fifty states, that would be great, I would be happy to include! Thanks so much, and keep the great feedback coming!
Many states in the United States have their own individual privacy laws. You can find a listing of most of those state privacy laws at the Morrison & Foerster's Privacy Library. Many of these privacy laws require some type of awareness training, or at a minimum that the privacy requirements are communicated to employees in that state. Learn more at: http://www.mofo.com/privacy''"data-security-services/