Information Security Awareness and Training – Regulatory Requirements

Many organizations are developing a security awareness program in response to legal or regulatory requirements. Following is a partial list of the numerous federal, state and international regulations that include security awareness and training as part of the data protection requirements.

Certain regulations are very specific about the requirements for security awareness and training. Others simply require safeguards that are “appropriate” for the size and type of organization. In these cases, enforcement agencies and auditors must defer to accepted best practices or frameworks for guidance. Examples of these frameworks are the Control Objectives for Information Technology (COBIT™), ISO/IEC 27002 (now ISO 27002), and the OECD Privacy Principles.

ISO 27002/27001

Section 7.2.2 Information security awareness, education, and training

All employees of the organization and, where relevant, contractors and third party users should receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function. 

Healthcare

HIPAA (Health Insurance Portability and Accountability Act of 1996)
Security Final Rule
164.308 (a)(5)(i) (R) Implement a security awareness and training program for all members of its workforce (including management).

PCI-DSS / Financial Services

PCI-DSS V3

12.6 Security Awareness – Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security.

Gramm-Leach-Bliley Act (GLBA) Title V – Section 501

Safeguards Rule 314.4: “ (b) Identify reasonably foreseeable internal and external risks [ ] including – (1) Employee training and management.”

US Federal Government

Federal Information Security Management Act (FISMA)

NIST 800-53

AT – Awareness and Training

“(a) The head of each [Federal] agency shall [ … ](4) Establish security awareness training to inform all personnel, including contractors and other users of information systems [ … ] 
 

Learn how to effectively train all employees and contractors using our information security awareness training solution.