Organizations required to meet the Payment Card Industry Data Security Standard (PCI DSS) – which includes any organization that accepts, transmits, or stores payment card data – is required to have a formal security awareness program in place. The PCI Security Standards Council has made that task easier with its recent release of “Best Practices for Implementing a Security Awareness Program.” The report repeatedly emphasizes the importance of training.
“Security awareness should be conducted as an ongoing program to ensure that training and knowledge is not just delivered as an annual activity, rather it is used to maintain a high level of security awareness on a daily basis,” the report stresses.
The guidelines, which were developed by a large group of retailers, banks, and technology providers, focus on three key areas: assembling a security awareness team; developing appropriate security awareness content for the organization; and creating a security awareness checklist.
The first step, according to the report, is to assemble a security awareness team that includes representatives from a cross-section of the organization. This team will be responsible for developing, delivering, and maintaining the security awareness program. The guidelines provide specific guidance for defining the team and its role.
Next, the team should work with business units to classify each employee’s role and determine what training each needs based on the role and level of responsibility. The report provides sample role categories, potential content and metrics for each, and helpful references.
Recognizing that many people find checklists helpful in planning and managing programs such as this, the reports includes checklists for creating, sustaining, and documenting a security awareness program that can be customized as appropriate.
The report concludes with two appendices: a checklist for mapping the PCI DSS requirements to different roles, materials, and metrics, and a sample table for recording how the organization is managing its security awareness program.
ARMA International encourages information governance (IG) professionals to work with their organizations’ IT or information security departments to integrate this program into their overall IG infrastructures. As emphasized in ARMA International’s Generally Accepted Recordkeeping Principles®, protecting information assets is an integral part of IG.
The awareness training and education identified in this report are excellent areas for collaboration among records management, IT, information security, and IG. Perhaps an IG steering committee could serve the role the report outlines for the security awareness team. If not, there should be coordination between the IG committee and the security awareness team.