Security Awareness Compliance Requirements: Understanding Regulatory Mandates
Information security is of paramount importance today. It’s vital that sensitive information be protected from threats both internal and external. Those threats grow daily, with attackers launching ever-more sophisticated assaults on companies in a wide range of different industries.
To help combat those assaults, mitigate risk, and safeguard sensitive consumer, customer, and patient data, businesses in a number of industries are now subject to security awareness compliance requirements. Some of these requirements are set forth in government mandates. Others are the result of industry watchdog groups or special interest groups.
For business owners and decision makers, as well as information security professionals and even general staff members, security awareness is vital – this touches on everything from general risk mitigation to how to avoid phishing scams, and everything in between. In this article, we will take a look at some of the security awareness compliance requirements that pertain to today’s organizations and businesses.
Note that these requirements pertain only to employee security awareness compliance. They do not necessarily touch on the steps an organization would need to take to comply with the full extent of the full regulations.
The Health Insurance Portability and Accountability Act (HIPAA), applies to virtually all businesses and organizations in the healthcare sector, as well as their partners, even if those partners are not technically involved with healthcare in any way. For instance, data clearing houses that store patient information are just as bound to HIPAA security awareness compliance requirements as hospitals or doctors’ offices are.
The only security awareness compliance requirement for HIPAA is to implement a program that ensures security awareness and training for all staff members of the organization. It also requires that organizations:
- Implement specific procedures that detect or prevent security violations.
- Undertake a risk analysis to determine potential vulnerabilities.
- Ensure that adequate security steps have been taken to reduce risk.
- Create a sanction policy to deal with staff members who fail to comply with related policies and procedures.
- Ensure that information system activity records are reviewed regularly.
What does that mean? Simply put, your organization or business must have a robust security awareness and training program in place, and everyone within your organization must complete the training. That includes executives and management.
You don’t need an unlimited budget or dozens of hours to create a truly engaging security awareness campaign. You just need the right resources and a playbook.
Does your business or organization accept credit cards? If so, you fall under the purview of the PCI-DSS, or Payment Card Industry Data Security Standard. This standard was developed to help protect consumer financial information that might be compromised during a financial transaction, during the storage of financial records, and in other situations.
The security awareness compliance requirement(s) for PCI-DSS include ensuring that all employees are educated on the importance of protecting cardholder information. This education can be delivered in a number of ways, including meetings, promotions, and even posters. Employees are also required to sign in writing, acknowledging that they have both read and understood the security policy and procedures of the company.
Obviously, these security awareness compliance requirements hinge on your business or organization having a codified security policy and set of procedures, as well as some form of training that illustrates the importance of protecting cardholder information and financial data from the myriad of threats in existence today.
The Gramm-Leach-Bliley Act, or GLBA, is also called the Financial Services Modernization Act of 1999. It covered a very wide range of things, but one of its most important focuses was on financial privacy. The compliance requirements of the act include a very wide range of topics, including the designing and implementation of an information security system, employee training and management, threat and risk detection, and a great deal more. It also touches on requiring contractors to maintain similar safeguards and constant evaluation and adjustment of information security programs.
Obviously, in addition to creating those standards, a training program must be created to teach employees how to ensure the security and confidentiality of those records and financial information, as well as how to identify and defends against threats and risks, including unauthorized access and use of that data.
The Federal Information Security Management Act (FISMA) applies to all federal agencies, as well as to contractors and other partners working with those agencies. The security awareness compliance requirements of FISMA include the need for security awareness training to ensure that all personnel, including contractors and anyone else who might interact with sensitive data, are aware of best practices and security policies and procedures.
Again, the focus of these requirements is on creating a training program, and then ensuring that all staff members (including contractors and others who have access to this information) not only complete the training, but fully understand the material covered, and comply with best practices and steps to protect that information.
National Institute of Standards and Technology (NIST) publication 800-53 focuses on the application of information security requirements for information systems and organizations within the federal government. The requirements are as follows, as found in NIST Special Publication 800-53 (Rev. 4) AU-1:
- Develops, documents and disseminates to [assignment; organization-defined personnel or roles]:
- A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
- Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and
- Reviews and updates the current:
- Security awareness and training policy [Assignment: organization-defined frequency]; and
- Security awareness and training procedures [Assignment: organization-defined frequency].”
- Reviews and updates the current:
Again, the focus here is on not only developing security policies and procedures, but in ensuring that all stakeholders are fully trained in those policies, procedures, roles and responsibilities.
Published by the International Organization for Standardization and the International Electrotechnical Commission, ISO/IEC 27002 specifies standards that apply to information security management systems. The security awareness compliance requirements, as found in ISO 27002 8.2.2, are as follows:
“All employees of the organization and, where relevant, contractors and third-party users should receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function.”
Once more, we see that the focus of these requirements is on providing awareness training for employees and others who may work with the business or organization.
Understanding the Concept of Compliance
In order to truly understand the onus of these security awareness compliance requirements, it’s important that we actually delve down into the concept of compliance. What does it really mean for a business or organization to be “in compliance” with security awareness requirements?
Simply put, it means that all employees, contractors, and sometimes vendors take actions that are consistent with the obligation stated in the requirement. A single employee who does not take the right actions, ignores compliance rules, or otherwise flouts security mandates causes the entire organization to be out of compliance. Even if the actions of that employee were in what they thought were the best interests of the business, or deemed to be protecting consumers, if they were not consistent with the requirements, the organization is out of compliance.
Let’s consider PCI-DSS compliance for a moment. Suppose a retail worker was behind the register at a store. The POS (point of sale) system goes down for some reason, meaning that they are unable to process credit cards electronically.
In an effort (however ill-advised) to provide customer service, the employee decides to accept credit cards and to write down the customer’s name, credit card number, and expiration date, along with the purchase price. That information is stored temporarily in a notebook at the cash register. The idea is that once the POS comes back up, the employee will run the transactions and everything will come out in the wash.
The problem here is that the employee has completely flouted the rules set forth in the PCI-DSS requirements. Not only is that employee not in compliance with the applicable requirements, but the entire retail business is out of compliance. Not to mention the threat posed if the credit card information of the store’s customers was to fall into the wrong hands.
We can take a similar example from the health insurance industry. Let’s suppose an insurer’s in-house intranet is experiencing problems, causing outages. In order to troubleshoot the network, an IT staff member disables the firewall.
The employee is able to identify the problem in less than 30 minutes, fixes it, and re-enables the firewall. The network now performs perfectly. The problem is that by disabling the firewall in the first place, the IT staff member caused the insurance company to be out of compliance with HIPAA regulations.
Meeting Security Awareness Compliance Requirements
As we saw when we touched on the various security awareness compliance requirements of the various acts and regulations previously, they all focus on security awareness training. Each of those regulations has a formal requirement that organizations and businesses that fall under their respective coverage institute a security awareness program.
What goes into creating such a security awareness program, though? While there is no one-size-fits all answer, as each organization will have different requirements under the regulations that apply to them to at least some extent, there are a few commonalities that can be applied across the board.
The Human Element – Always at Risk
Before we delve into how a security awareness training program should be constructed, it’s important to understand why your human collateral (employees, contractors, etc.) are the primary focus here. Shouldn’t you also focus on other elements, such as the infrastructure of your in-house network, having the right software security safeguards, and implementing the right physical security precautions?
In a word, yes. However, understand that humans in the mix will always be the weakest links in any security situation. Simply put, people are not very good at judging the risk of a particular action. This is one reason that phishing and spear-phishing attacks have become so popular. Humans are pretty likely to fall prey to them. This is because the risks inherent with clicking a link in an email or in downloading an attachment are not highly visible.
Most of us are pretty leery about doing something like standing on the edge of a cliff or walking in an area where a dangerous wild animal can be seen. In fact, we often overestimate those risks. We’re not so good when it comes to less obvious risks. Again, clicking a link doesn’t seem to carry any inherent danger, so we automatically assign it a lower risk level.
Your Security Awareness Training Program
Any security awareness training program must address several key issues. Primary among those is who needs the training. While you’ll automatically think of your full-time staff, you can’t neglect part-time workers, contractors and the like. You also cannot neglect management and executives.
Next, you need to determine what needs to be taught. This will largely hinge on how those people interact with the data/information that needs to be safeguarded. Obviously, an IT staff member will need to know more than an administrative assistant.
Finally, you need to consider how the training will take place. Video content is probably the most common, but studies show that this type of training only results in a 20% retention rate. That’s far too low.
At Infosec, we’ve developed a robust training program that will help ensure that you meet all security awareness compliance requirements. Our security awareness training platform, AwareEd, delivers hands-on training that results in an 80% retention rate, and can be customized by adding or removing specific modules. We can even deliver training in a range of different languages to suit your needs.
We also offer an advanced anti-phishing training platform, called PhishSim. It’s designed to help you create your own phishing attack emails, or use our templates, to train staff members to recognize these threats and deal with them appropriately.
Let us help you ensure compliance with security awareness compliance requirements. Contact us today to learn more about our training platforms.