Compliance awareness training is a necessity in view of the laws, regulations and related policies and procedures that it is beholdent upon us to include such training as part of our information security awareness and data protection programs.
Over the past few years there has been a massive increase in security-and privacy-oriented compliance regulations, such as the Payment Card Industry Data Security Standard (PCI DSS), Sarbanes-Oxley (SOX), HIPAA and Gramm-Leach-Bliley (GLBA), to name just a few. Several of these mandate that companies implement security awareness as part of their information security programs. As a result, this often-neglected area of infosec has had some new life breathed into it.
Security practitioners love to argue about the effectiveness of employee security awareness training. Opponents claim the proliferation of security incidents is proof that it doesn't work, whereas proponents claim that no system is perfect, but something is better then nothing. Various studies have been published to support both sides, but one thing is certain: Several compliance regulations exist that mandate employee training about the various security and privacy policies.
But what makes for a good security awareness and education program? Most user training misses the point completely and is as useless as its detractor’s say it is. That's because it focuses on what users should and shouldn't do, as opposed to why and how those actions can have serious consequences.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment