No training plan is in place for the company you chose, and many members of the upper management argue that there is no need to have one. However, your supervisor has asked you to research the compliance and/or audit standards that your organization must adhere to maintain these requirements and then write a proposal to address the training needed for the company.
Please review the following documents:
You are required to write a three to five (3-5) page proposal in which you recommend the need for security awareness training. In your proposal, be sure to:
Identify compliance or audit standards that your organization must adhere to.
Identify security awareness requirements for those standards.
Identify training methods to meet those requirements (In house, contract or CBT).
Assumptions
You should assume that your company will have to accept credit cards as payments.
You should assume that no current awareness/training plans exist for your company.
You should assume that all offices and groups need training.
Notes on submission:
Use at least three (3) quality resources as references in this assignment. Wikipedia and similar Websites do not qualify as quality resources.
Your assignment must follow these formatting requirements: Be typed, double spaced, using Times New Roman font (size 12), with one-inch margins on all sides; citations and references must follow APA or school-specific format. Check with your professor for any additional instructions.
Include a cover page containing the title of the assignment, the student’s name, the professor’s name, the course title, and the date. The cover page and the reference page are not included in the required assignment page length.
Submit your completed assignment by following the directions linked below. Please check the Course Calendar for specific due dates.Standard: PCI Data Security Standard (PCI DSS)
Version: 1.0
Date: October 2014
Author: Security Awareness Program Special Interest Group
PCI Security Standards Council
Information Supplement:
Best Practices for Implementing a
Security Awareness Program
The intent of this document is to provide supplemental information. Information provided here does
not replace or supersede requirements in any PCI SSC Standard.
ii
Information Supplement • Best Practices for Implementing a Security Awareness Program • October 2014
Table of Contents
1 Introduction………………………………………………………………………………………………………………………………….. 1
1.1 Importance of Security Awareness ………………………………………………………………………………………………… 1
1.2 Intended Audience ………………………………………………………………………………………………………………………. 2
1.3 Terminology ……………………………………………………………………………………………………………………………….. 2
2 Best Practices in Organizational Security Awareness ……………………………………………………………………. 3
2.1 Assemble the Security Awareness Team ……………………………………………………………………………………….. 3
2.2 Determine Roles for Security Awareness ……………………………………………………………………………………….. 3
2.2.1 Identify levels of responsibility …………………………………………………………………………………………………. 3
2.2.2 Establish Minimum Security Awareness …………………………………………………………………………………… 4
2.2.3 Determine the content of training and applicability based on PCI DSS …………………………………………. 5
2.3 Security Awareness throughout the Organization ……………………………………………………………………………. 5
3 Security Awareness Training Content …………………………………………………………………………………………… 7
3.1 All Personnel………………………………………………………………………………………………………………………………. 8
3.2 Management ………………………………………………………………………………………………………………………………. 9
3.3 Specialized Roles ……………………………………………………………………………………………………………………….. 9
3.3.1 Cashier/Accounting Staff ……………………………………………………………………………Security Awareness Compliance
Requirements
Updated: 11 October, 2017
SANS MGT433 – https://securingthehuman.sans.org
Executive Summary
The purpose of this document is to identify different standards and regulations that require
security awareness programs.
ISO/IEC 27001 and 27002
8.2.2: All employees of the organization and, where relevant, contractors and third-party
users should receive appropriate awareness training and regular updates in organizational
policies and procedures, as relevant for their job function.
Learn more at: http://www.iso.org/iso/home/standards/management-
standards/iso27001.htm
PCI DSS
12.6: Make all employees aware of the importance of cardholder information security.
• Educate employees (for example, through posters, letters, memos, meetings, and
promotions).
• Require employees to acknowledge in writing that they have read and understand the
company’s security policy and procedures.
Download the PCI DSS standard at: https://www.pcisecuritystandards.org/document_library
Download the PCI DSS Security Awareness Program Guidelines at:
https://www.pcisecuritystandards.org/documents/PCI_DSS_V1.0_Best_Practices_for_Imple
menting_Security_Awareness_Program.pdf
SANS MGT433 – https://securingthehuman.sans.org
Federal Information Security Management Act (FISMA)
§3544.(b).(4).(A),(B): Securing awareness training to inform personnel, including
contractors and other users of information systems that support the operations and assets
of the agency, of information security risks associated with their activities and their
responsibilities in complying with agency policies and procedures designed to reduce these
risks.
Learn more at: http://www.dhs.gov/fisma
Gramm-Leach Bliley Act
The Safeguards Rule requires companies to assess and address the risks to customer
information in all areas of their operation, including three areas that are particularly
important to information security: Employee Management and Training; Information
Systems; and Detecting and Managing System Failures. Depending on the nature of their
business operations, firms should consider implementing the following practices: Employee
Management and Training. The success of your information security plan depends largely on
the employees who implement it.
GLBA Overview: https://www.ftc.gov/tips-advice/business-center/privacy-and-
security/gramm-leach-bliley-act
Safeguards Rule: https://www.ftc.gov/tips-advice/business-center/guidance/financial-
institutions-customer-information-complying
Health Insurance Portability and Accountability Act (HIPAA)
§164.308.(a).(5).(i): Implement a security awareness and training program for all members
of its workforce (including management).
Learn more at: http://www.hhs.gov/hipaa/for-professionals/index.html
SANS MGT433 – https://securingthehuman.sans.org
Red Flags Rule
§16 CFR 681.1(d)-(e): Employees should
Why Choose Us
- 100% non-plagiarized Papers
- 24/7 /365 Service Available
- Affordable Prices
- Any Paper, Urgency, and Subject
- Will complete your papers in 6 hours
- On-time Delivery
- Money-back and Privacy guarantees
- Unlimited Amendments upon request
- Satisfaction guarantee
How it Works
- Click on the “Place Order” tab at the top menu or “Order Now” icon at the bottom and a new page will appear with an order form to be filled.
- Fill in your paper’s requirements in the "PAPER DETAILS" section.
- Fill in your paper’s academic level, deadline, and the required number of pages from the drop-down menus.
- Click “CREATE ACCOUNT & SIGN IN” to enter your registration details and get an account with us for record-keeping and then, click on “PROCEED TO CHECKOUT” at the bottom of the page.
- From there, the payment sections will show, follow the guided payment process and your order will be available for our writing team to work on it.