Essential Guide

How to prepare for the emerging threats to your systems and data

A comprehensive collection of articles, videos and more, hand-picked by our editors
Q

Regulatory compliance requirements for security awareness programs

Employees play an important role in achieving and maintaining regulatory compliance, explains compliance expert Mike Chapple.

According to the Wall Street Journal, the U.S. Department of Justice recently admonished financial institutions...

for not adequately encouraging employees to follow compliance regulations. What would you recommend organizations do to train employees about regulatory compliance? Are there any regulations that actually penalize organizations monetarily for not encouraging compliance?

Ask the expert

Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

An organization cannot comply with any compliance obligation unless the actions of its employees are consistent with that obligation. The actions of a single employee can completely undermine the organization's security program.

For example, a retail clerk who compensates for point-of-sale (POS) terminal failures by keeping a log book of credit card transactions, including full card numbers, would be in direct violation of the Payment Card Industry Data Security Standard (PCI DSS). Similarly, an IT staffer who disables a hospital's firewall for troubleshooting reasons may inadvertently jeopardize the organization's compliance with the Health Insurance Portability and Accountability Act (HIPAA).

For this reason, it is imperative to design a security awareness program that emphasizes the individual responsibilities of employees to ensure the safety of the organization's information assets. This should be tailored to the employee's job function and include both initial training for new employees and refresher training to keep security responsibilities top-of-mind. It's possible to leverage external providers and content for this training, but you alone are responsible for ensuring that employees are aware of their responsibilities.

PCI DSS includes a formal requirement for this program, stating that organizations must "implement a formal security awareness program to make all personnel aware of the importance of cardholder data security" and "educate personnel upon hire and at least annually." Organizations failing to meet these requirements are not PCI DSS compliant and may be subject to hefty fines. PCI DSS is not alone in mandating this training. HIPAA, as well as many other security regulations, also requires that organizations conduct security awareness training.

This was last published in May 2014

PRO+

Content

Find more PRO+ content and other member only offers, here.

Essential Guide

How to prepare for the emerging threats to your systems and data

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

"For example, a retail clerk who compensates for point-of-sale (POS) terminal failures by keeping a log book of credit card transactions, including full card numbers, would be in direct violation of the Payment Card Industry Data Security Standard (PCI DSS)."
No it wouldn't. The PCI DSS does not intend to prevent commerce so a scenario like this would be allowed. There are right ways and wrong ways to do it, but the activity itself you have described is not a "direct violation of the PCI DSS".
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close