Listening to conversations around the water cooler at organizations of all sizes, it may seem like compliance awareness...
is at an all-time high. However, there continue to be reports of compliance breaches resulting from the inadvertent actions of employees unfamiliar with the consequences of their actions.
Organizations that build and maintain a robust compliance training program can mitigate this risk and reduce the likelihood that a routine error will lead to a major compliance issue. In this tip, we'll review the specific steps you can use to start a compliance awareness training effort at your organization.
When putting together a compliance awareness training program, gather the human and financial resources needed to develop a robust approach to training and assessment. As with any commitment of resources, this is easiest to achieve with executive support. Building a strong business case for the training program by illustrating the specific ways it can reduce organizational risk and gaining the support of organizational leaders is an effective way to remove barriers and obtain the funding and time commitment necessary to design, implement and deploy a training initiative.
The human resources required for a program comes in several forms. First, there should be a clearly defined owner of the initiative. If an enterprise has a compliance office, that's one obvious source for a process owner. Otherwise, consider placing ownership of the initiative with legal, human resources or one of the major functional areas with compliance obligations. This owner can then be the champion to identify and rally the subject matter and training experts needed to put the program together.
The organization also needs to select the appropriate delivery mechanism(s) for the compliance content. This mix will vary based upon the budget, the complexity of the curriculum, and the culture of the organization. Some of the mechanisms potentially deployed include instructor-led training, Web-based courses and self-paced printed materials. Large organizations with a diverse workforce will probably want to offer a range of options that suit the learning styles of different students. A smaller organization may simply choose the most cost-effective option that meets its goals.
Developing the curriculum
Gathering the resources needed to deliver training is only the first step. An organization needs to develop a curriculum with content tailored to its specific compliance needs. There are three options: purchasing content, developing content or customizing content purchased elsewhere. The simplest and likely the most cost-effective approach is to purchase training materials that can be immediately used in the organization. If this meets the company's needs, that's fantastic; if not, consider whether customizing existing materials would cover compliance obligations. If that fails, it may need to resort to developing its own content from scratch.
While developing a training curriculum, be sure to cover every compliance obligation facing the organization. In some cases, this may include many diverse regulations, such as HIPAA, PCI DSS, GLBA, SOX and others. While it's important to cover all requirements, also tailor the training scope to the specific job responsibilities of each student. For example, a hospital might train cafeteria staff on proper credit card handling practices, but it probably wouldn't be necessary to give those same staff detailed training on privacy obligations regarding electronic medical records, as they never come in contact with those materials.
Along those same lines, tailor the depth of the training to an individual's role. Both the cafeteria staff and database administrators require training on PCI DSS. The cafeteria cashier needs job-oriented knowledge regarding physical handling of credit cards, the use of swipe terminals, and procedures for handling suspicious transactions. The database administrator will likely never handle a card transaction personally and does not need this knowledge. Database administrators, on the other hand, will need to know about encryption technology, data retention requirements and similar obligations. Tailoring the content to the role limits the time investment for each person and increases the likelihood that they will retain job-specific knowledge.
Assessing the results
Once the content is developed and deployed to the organization's training program, implement an assessment program that ensures the company is meeting its ongoing training obligations. At a minimum, the system in place should provide a verifiable audit trail of completed training. If an assessor asks the organization to demonstrate compliance with training requirements, it should be able to easily pull those records for either an individual employee or an entire unit. Tracking completion of training in a sustainable manner is almost as important as delivering the training itself.
Should an organization administer quizzes or tests as part of its training program? If the culture suggests the organization is patient and inquisitive enough to be accepting of these tools, they are a powerful way to both drive mindful participation in training programs and assess the effectiveness of the content. Organizations may choose to administer short, "Are you paying attention?"-style quizzes throughout the material, or ask students to pass an end-of-course assessment to demonstrate mastery.
Deploying a robust compliance training and tracking initiative is a powerful way to both reduce risk to an organization and ensure it is meeting its training obligations. The wide variety of content sources, delivery mechanisms and assessment tools give it the flexibility to develop an approach that meets the business needs and fits within the culture of the organization.
About the author:
Mike Chapple, Ph.D., CISA, CISSP, is senior director for IT service delivery at the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Chapple is a frequent contributor to SearchSecurity, and serves as its resident expert on enterprise compliance, frameworks and standards for its Ask the Experts panel. He previously served as a site expert on network security, and is a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and the Security+ Training Kit.
To learn more about compliance awareness programs, check out this article.
For a tutorial on creating a corporate compliance program, watch this video.