Information Security Awareness and Training – Regulatory Requirements
Many organizations are developing a security awareness program in response to legal or regulatory requirements. Following is a partial list of the numerous federal, state and international regulations that include security awareness and training as part of the data protection requirements.
Certain regulations are very specific about the requirements for security awareness and training. Others simply require safeguards that are “appropriate” for the size and type of organization. In these cases, enforcement agencies and auditors must defer to accepted best practices or frameworks for guidance. Examples of these frameworks are the Control Objectives for Information Technology (COBIT™), ISO/IEC 27002 (now ISO 27002), and the OECD Privacy Principles.
Section 7.2.2 Information security awareness, education, and training
164.308 (a)(5)(i) (R) Implement a security awareness and training program for all members of its workforce (including management).
PCI-DSS / Financial Services
Gramm-Leach-Bliley Act (GLBA) Title V – Section 501
US Federal Government
Federal Information Security Management Act (FISMA)
AT – Awareness and Training
(4) Establish security awareness training to inform all personnel, including contractors and other users of information systems [ … ]
Learn how to effectively train all employees and contractors using our information security awareness training solution.