Did you know there are over 8,500 different Local, State, and Federal standards & requirements your organization may be required to comply with? This staggering number can come as a surprise to many. That’s why we\u2019ve taken the time to compile a list of the most common standards which may require your organization to implement a security awareness program.<\/p>\n
Does Your Business Accept Credit Cards?<\/em><\/strong><\/span><\/p>\n If so, you are required by law to comply with PCI security standards.\u00a0PCI DSS<\/a> applies to any business that processes credit cards or any other form of electronic payment. Standards include educating employees on the importance of cardholder information security.\u00a0 It also requires employees to acknowledge in writing that they have read and understood the company\u2019s security policy and procedures. Note, you should already have a written security and procedure policy for your organization.\u00a0 You can learn more about security standards here<\/a>.<\/p>\n Is Your Company Public?<\/em><\/strong><\/span><\/p>\n The Sarbanes-Oxley Act<\/a>, also known as the \u201cPublic Company Accounting Reform & Investor Protection Act\u201d was established to set and expand requirements for all U.S. publicly traded companies.\u00a0 Rules include every annual report to contain an internal control report – which shall state the responsibility of management for developing and maintaining adequate internal control structure & procedures for financial reporting. Even if you are planning to go public sometime in the future, start working on a security awareness training plan now.<\/p>\n Are You In The Healthcare Sector?<\/em><\/strong><\/span><\/p>\n For organizations within the healthcare sector, the Health Insurance Portability & Accountability Act or HIPAA as it is more commonly known, is a very important rule that affects the way you store & protect patient information.\u00a0 HIPAA requires the implementation of a security awareness and training program for all your workforce, including consultants.\u00a0 Learn more here<\/a>.<\/p>\n Other Noteworthy Governance\u2026<\/strong><\/span><\/p>\n ISO\/IEC 27001 & 27002<\/a> \u2013 Requires that all employees of an organization, as well as contractors or third party users, should receive awareness training & regular updates in organizational policies, as relevant to their job function.<\/p>\n FACTA \u2013 FTC Red Flags Rule<\/a> \u2013 Under FACTA, which is an amendment to the Fair Credit Reporting Acts, the FTC created the Red Flags Rule. The ruling requires training as part of an Identity Theft Prevention Program.\u00a0 16 CFR 681.1:\u00a0 Employees should be trained about the various red flags to look out for, and\/or any other relevant aspect of the organization\u2019s Identity Theft Prevention Program.<\/em><\/p>\n Gramm-Leach Bliley Act<\/a> \u2013 6801.(b).(1)-(3) In furtherance of the policy in subsection (a) of this section, each agency or authority described in section 6805(a) if this title shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical & physical safeguards:<\/em><\/p>\n CobiT<\/a> \u2013 PO7.4 Provide IT employees with appropriate orientation when hired and ongoing training to maintain their knowledge, skills, abilities, internal controls, and security awareness as the level required to achieve organizational goals. Section DS7 Management of the process to educate and train users that satisfies the business requirement for IT of effectively and efficiently using application and technology solutions and ensuring user compliance with policies and procedures is defined when a training and education program is instituted and communicated, and employees and managers identify and document training needs.\u00a0Training and education processes are standardized and documented.\u00a0 Budgets, resources, facilities, and trainers are being established to support the training and education program.\u00a0 Formal classes are given to employees on ethical conduct and system awareness and practices.\u00a0 Most training and education processes are monitored, but not all deviations are likely to be detected by management.\u00a0 Analysis of training and education problems is only occasionally applied.<\/p>\n Federal Information Security Management Act (FISMA)<\/a> \u2013 3544.(b).(4).(A).(B) Securing awareness training is required to inform personnel, including contractors and other users of information systems on how to support the operations and assets of the agency, of information security risks associated with their activities; and their responsibilities in complying with agency policies and procedures designed to reduce these risks.<\/p>\n US State Specific Privacy Laws<\/strong><\/span><\/p>\n Many states in the U.S. have their own privacy laws.\u00a0 For example, one of the most robust privacy laws is here in the state of Massachusetts. 201 CMR 17.03<\/a> \u2013 the Massachusetts privacy law mandates training to maintain a comprehensive information security program.\u00a0 The training must focus on reasonably foreseeable internal and external risks to the security, confidentiality, and\/or integrity of any electronic, paper, or other records containing personal information.\u00a0 Training must be ongoing and must be given for not only permanent employees but also temporary or contract employees.<\/p>\n Want to better understand how an effective security awareness program can prevent incurring regulatory fines as well as help to protect your organization from new security threats? Contact Us<\/a> today!<\/p>\n If you found the information in this blog post helpful and you'd like to discuss your business' technology strategy, then we'd be happy to hear from you.<\/p>\n<\/div>\n\t<\/div>\n<\/div>\n\n
\n\t\tConfident with Your IT Strategy?<\/span>\n\t<\/h2>\n\t<\/div>\n<\/div>\n