The PCI Security Standards Council (PCI SSC) published guidance today aimed at helping businesses build information security awareness programs.
The document, entitled ‘Best Practices for Implementing a Security Awareness Program’, offers companies recommendations for educating staff on protecting sensitive payment data.
The guidance was developed by retailers, banks and technology providers, and focuses on three key areas: assembling a security awareness team; developing appropriate security awareness content for the organization; and creating a security awareness checklist.
“The first step in the development of a formal security awareness program is assembling a security awareness team,” the paper notes. “This team is responsible for the development, delivery, and maintenance of the security awareness program. It is recommended the team be staffed with personnel from different areas of the organization, with differing responsibilities representing a cross-section of the organization.”
“Having a team in place will help ensure the success of the security awareness program through assignment of responsibility for the program,” the paper continues. “The size and membership of the security awareness team will depend on the specific needs of each organization and its culture.”
Organizations should also divide employees into groups to ensure the right people are getting the right training. The training program, the paper recommends, should be tailored for three groups – all personnel, specialized roles and management.
“Management has additional training needs that may differ from the two previous areas,” according to the paper. “Management needs to understand the organization’s security policy and security requirements enough to discuss and positively reinforce the message to staff, encourage staff awareness, and recognize and address security related issues should they occur. The security awareness level of management may also need to include an overall understanding of how the different areas fit together.”
Earlier this year, research by consulting firm Enterprise Management Associates found that more than half of the enterprise employees surveyed had not received any security or policy awareness training from their employer.
Whether it’s the POODLE attack, Shellshock or the latest variant of malware, businesses and employees are exposed to threats every day that can put sensitive information at risk, PCI SSC Chief Technology Officer Troy Leach said in a statement.
“PCI Standards emphasize the importance of people, process and technology when it comes to protecting payment information,” he said. “This guidance can help businesses focus on the ‘people’ part of the equation and build a greater culture of security awareness and vigilance across their organizations.”
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- Insider Q&A: Artificial Intelligence and Cybersecurity In Military Tech
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- OpenAI Unveils Million-Dollar Cybersecurity Grant Program
- Galvanick Banks $10 Million for Industrial XDR Technology
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Idaho Hospitals Working to Resume Full Operations After Cyberattack
