Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

PCI Security Standards Council Releases Guide for Building Security Awareness Programs

The PCI Security Standards Council (PCI SSC) published guidance today aimed at helping businesses build information security awareness programs.

The PCI Security Standards Council (PCI SSC) published guidance today aimed at helping businesses build information security awareness programs.

The document, entitled ‘Best Practices for Implementing a Security Awareness Program’, offers companies recommendations for educating staff on protecting sensitive payment data.

The guidance was developed by retailers, banks and technology providers, and focuses on three key areas: assembling a security awareness team; developing appropriate security awareness content for the organization; and creating a security awareness checklist.

“The first step in the development of a formal security awareness program is assembling a security awareness team,” the paper notes. “This team is responsible for the development, delivery, and maintenance of the security awareness program. It is recommended the team be staffed with personnel from different areas of the organization, with differing responsibilities representing a cross-section of the organization.”

“Having a team in place will help ensure the success of the security awareness program through assignment of responsibility for the program,” the paper continues. “The size and membership of the security awareness team will depend on the specific needs of each organization and its culture.”

Advertisement. Scroll to continue reading.

Organizations should also divide employees into groups to ensure the right people are getting the right training. The training program, the paper recommends, should be tailored for three groups – all personnel, specialized roles and management.

“Management has additional training needs that may differ from the two previous areas,” according to the paper. “Management needs to understand the organization’s security policy and security requirements enough to discuss and positively reinforce the message to staff, encourage staff awareness, and recognize and address security related issues should they occur. The security awareness level of management may also need to include an overall understanding of how the different areas fit together.”

Earlier this year, research by consulting firm Enterprise Management Associates found that more than half of the enterprise employees surveyed had not received any security or policy awareness training from their employer.

Whether it’s the POODLE attack, Shellshock or the latest variant of malware, businesses and employees are exposed to threats every day that can put sensitive information at risk, PCI SSC Chief Technology Officer Troy Leach said in a statement.

“PCI Standards emphasize the importance of people, process and technology when it comes to protecting payment information,” he said. “This guidance can help businesses focus on the ‘people’ part of the equation and build a greater culture of security awareness and vigilance across their organizations.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Compliance

Web scraping is a sensitive issue. Should a third party be allowed to visit a website and use automated tools to gather and store...

Cloud Security

Proofpoint removes a formidable competitor from the crowded email security market and adds technology to address risk from misdirected emails.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...