The PCI Security Standards Council (PCI SSC) published guidance today aimed at helping businesses build information security awareness programs.
The document, entitled ‘Best Practices for Implementing a Security Awareness Program’, offers companies recommendations for educating staff on protecting sensitive payment data.
The guidance was developed by retailers, banks and technology providers, and focuses on three key areas: assembling a security awareness team; developing appropriate security awareness content for the organization; and creating a security awareness checklist.
“The first step in the development of a formal security awareness program is assembling a security awareness team,” the paper notes. “This team is responsible for the development, delivery, and maintenance of the security awareness program. It is recommended the team be staffed with personnel from different areas of the organization, with differing responsibilities representing a cross-section of the organization.”
“Having a team in place will help ensure the success of the security awareness program through assignment of responsibility for the program,” the paper continues. “The size and membership of the security awareness team will depend on the specific needs of each organization and its culture.”
Organizations should also divide employees into groups to ensure the right people are getting the right training. The training program, the paper recommends, should be tailored for three groups – all personnel, specialized roles and management.
“Management has additional training needs that may differ from the two previous areas,” according to the paper. “Management needs to understand the organization’s security policy and security requirements enough to discuss and positively reinforce the message to staff, encourage staff awareness, and recognize and address security related issues should they occur. The security awareness level of management may also need to include an overall understanding of how the different areas fit together.”
Earlier this year, research by consulting firm Enterprise Management Associates found that more than half of the enterprise employees surveyed had not received any security or policy awareness training from their employer.
Whether it’s the POODLE attack, Shellshock or the latest variant of malware, businesses and employees are exposed to threats every day that can put sensitive information at risk, PCI SSC Chief Technology Officer Troy Leach said in a statement.
“PCI Standards emphasize the importance of people, process and technology when it comes to protecting payment information,” he said. “This guidance can help businesses focus on the ‘people’ part of the equation and build a greater culture of security awareness and vigilance across their organizations.”