Information Security Tips from Westfield Insurance: Information Security Awareness and Training... Yes, it's required.

InfoSec Favorites

CMU Anti-Phishing Game
Learn to identify fraudulent URLs
OnGuard Online
Many security tips and educational materials collected and shared by the FTC
Anti-Phishing Blog
Lots of examples of phishing and other scams
SEO by the Sea
Search Engine Optimization
Fraudwar
Schneier on Security
eDiscoTECH
Reviews of legal cases and decisions in the new field of Electronic Discovery
IT Business Edge

Over the years, one of the questions I have been asked most frequently is, "Do we really need to have an Information Security awareness and training program?" The question is often followed up by a statement calling into question the perceived value of awareness and training. My standard response is typically along the lines of, "Yes. It is required and, perhaps more importantly, the right thing to do."

Setting aside the value-based approach of 'doing the the right thing' to keep information secure and private, most people are surprised to learn Information Security awareness and training is a compliance obligation often required by law, industry regulation, and or business contract. Additionally, it is called out in numerous 'best practice' frameworks.

So, in the spirit of ongoing Information Security awareness and to assist those who have requested more information on this subject, I've decided to list a just a few of the numerous laws, regulations, and frameworks applicable to North America. Bear in mind some are industry specific. I hope this proves helpful.

Laws and Regulations (North America)

Health Information Portability and Accountability Act (HIPAA):   §164.3

Canada Personal Information Protection Electronic Documents Act (PIPEDA):   Schedule 1 Clause 4.1.4(c), Scedule 1 Clause 4.7.4

Privacy Act of 1974:   §552a(e)(9)

Fair and Accurate Credit Transactions Act (FACTA):   §151, §213(d)

FACTA Red Flag Rule:   §41.90(e)(3), §222.90(e)(3), §334.90(e)(9), §571.90(e)(9), §681.2(e)(9), §717.90(e)(9)

Leahy Personal Data Privacy Security Act:   §302(b)

Tlaxcala Law:   Article 27

FFIEC Information Security:   Page 7, Page 62

NERC:   CIP-004-1

FDA 21 CFR Pt 11:   §11.10(i)

Massachusetts 201 CMR 17.00:   §17.04(8)

Business Contracts

Payment Card Industry Data Security Standard (PCI DSS): §12.6

'Best Practice' Frameworks

ISO 17799 / ISO 27002:   §8.2.2

ITIL Security Management:   §4.2.2.2

AICPA Privacy:   ID 1.1.1

NIST 800: numerous sections

(Important Note: Compliance obligations are not 'one size fits all'. What one organization must be compliant with may not hold true for another organization, even if they are within the same industry. It is aboslutely essential to develop an organization specific compliance framework reflective of all compliance obligations known to the organization.)

Comments

You can follow this conversation by subscribing to the comment feed for this post.

There's a lot more to security awareness than compliance, Robert. For example, without awareness, how are IT people supposed to know that they ought to be designing and using technical controls? How are management supposed to understand the information security risks the organization faces on a daily basis, or their part in ensuring that those risks are brought under control? In other words, security awareness is much more than just an annual briefing of the troops. Ordinary employees need to appreciate that they may be scammed and exploited for their access to corporate and personal information, and that there are numerous security controls that depend on them being alert and reacting appropriately to threats that may materialize at any time.

Kind regards,
Gary

Posted by: Gary Hinson | 29 May 2010 at 04:00

Excellent point, Gary. There is far more to Information Security awareness than just compliance with any number of laws and regulations. Awareness and training typically deals with the qualitative. Much of what we do to help keep information secure and private is tied directly to people, their roles, and cultivating a 'culture of awareness' within the organization. Spending time with folks, both 1-to-1 and 1-to-many, is essential in helping them better understand how to mitigate risk to the organization within their job role. Their secure business practices then aggregate to meeting applicable compliance obligations.

Thanks for the comment.

Posted by: Robert Salandre | 16 June 2010 at 09:30

Verify your Comment

Previewing your Comment

Posted by: |

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:

Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Information Security Tips from Westfield Insurance

Search

About

Categories

Westfield Links

Westfield Blogs

InfoSec Favorites

Information Security Awareness and Training... Yes, it's required.

Comments

Verify your Comment

Previewing your Comment

Post a comment