Let's Dig In: Security Awareness & Compliance

Does it seem like all of a sudden you're getting asked for confirmation that your Security Awareness Training program checks all the boxes? Regulators, cyber insurance providers, partners, clients... suddenly everyone cares what's in your program.

Naturally, this leaves you wondering which Security Awareness Training compliance regulations are relevant for your organization and your MSP's client organization.

Once you know what content you need, it’s easy to get lost in giant course catalogs that may or may not satisfy requirements. You know, it's like when you're browsing Netflix to find the perfect show for everyone... except regulators can crack down if you don't get it right!

It can feel like you’re operating in a vacuum when managing your team’s Security Awareness Training program, so we're changing that!

Where do we start?

The most prominent and widely used guidance for Cyber Security Awareness Training comes from NIST (National Institute of Standards and Technology). NIST created the Cybersecurity Framework (CSF) to provide cybersecurity guidance for a broad range of industries and across the spectrum of security layers.

NIST specifically identifies Security Awareness Training as a key component to a complete cybersecurity program. According to NIST, organizations need to ensure “personnel and partners are provided cybersecurity awareness education and are trained to perform their cybersecurity-related duties and responsibilities consistent with related policies, procedures, and agreements.”

You can learn more about NIST in our guide to Choosing Your Security Awareness Program provider.

Below, we list various industries and relevant guidance for each. If you don't see yours, shoot us a note at Hello@infimasec.com!

Industry Guidance

Financial Services and Banking

  • FINRA  - Provide cybersecurity training to all employees upon their employment and at least annually thereafter (but preferably more often) to ensure all users are aware of their responsibilities for protecting the firm’s systems and information.
  • SEC - The Firm provides written guidance and periodic training to employees concerning information security risks and responsibilities.
  • GLBA - Training employees to take basic steps to maintain the security, confidentiality, and integrity of customer information, including: Locking rooms and file cabinets where records are kept; Not sharing or openly posting employee passwords in work areas; Encrypting sensitive customer information when it is transmitted electronically via public networks; Referring calls or other requests for customer information to designated individuals who have been trained in how your company safeguards personal data; and Reporting suspicious attempts to obtain customer information to designated personnel.
  • NY DFS - As part of its cybersecurity program, each Covered Entity shall: provide for regular cybersecurity awareness training for all personnel that is updated to reflect risks identified by the Covered Entity in its Risk Assessment.
  • FFIEC - Training should support security awareness and strengthen compliance with security and acceptable use policies. Topics: end-point security, log-in requirements, password admin, phishing, social engineering, loss of data, indadvertent disclosure of sensitive information
  • NCUA - Train staff to implement the credit union's information security program and provide for independent testing for compliance to be conducted by credit union personnel or outside parties.

Insurance

  • NAIC Insurance Data Security Law - Provide its personnel with cybersecurity awareness training that is updated as necessary to reflect risks identified by the Licensee in the Risk Assessment.

Law

  • ABA - In the context of electronic communications, lawyers must establish policies and procedures, and periodically train employees, subordinates and others assisting in the delivery of legal services, in the use of reasonably secure methods of electronic communications with clients.

Accounting

  • AICPA - Upon hiring, and annually thereafter, all employees must successfully complete training courses covering basic information security practices that support the functioning of an effective cybersecurity risk management program. The training courses are designed to assist employees in identifying and responding to social engineering attacks (phishing, tailgating) and in avoiding inappropriate security practices (for example, writing down passwords or leaving sensitive material unattended).

Healthcare

  • HIPAA  - (2)(b)(1) Standard: Training. A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.
    (2)(C)(ii) A covered entity must document that the training as described in paragraph (b)(2)(i) of this section has been provided, as required by paragraph (j) of this section.
    (5)(i) Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).

Education

  • PTAC -  By definition, a thorough training program targets all new and current employees, as well as contract workers, temporary workers, and even volunteers. At a minimum, any member of the staff, regardless of role, who has access to personally identifiable information (PII), should be trained to protect data confidentiality and preserve system security.
    Encouraging awareness about data and IT security issues and developing a properly trained staff requires that many content areas be addressed through a comprehensive training program
  • GLBA - Training employees to take basic steps to maintain the security, confidentiality, and integrity of customer information, including: Locking rooms and file cabinets where records are kept; Not sharing or openly posting employee passwords in work areas; Encrypting sensitive customer information when it is transmitted electronically via public networks; Referring calls or other requests for customer information to designated individuals who have been trained in how your company safeguards personal data; and Reporting suspicious attempts to obtain customer information to designated personnel.

Retail (or anyone who processes credit card data)

  • PCI-DSS - Provide training for personnel to be aware of attempted tampering or replacement of devices (i.e. social engineering). Educate personnel upon hire and at least annually.
  • PCI-DSS Security Awareness Special Interest Group - In order for an organization to comply with PCI DSS Requirement 12.6, a formal security awareness program must be in place. Establishing and maintaining information-security awareness through a security awareness program is vital to an organization’s progress and success.

Architecture / Construction / Engineering
Requirements for A/C/E firms typically arise from vendor management questionnaires. Government and Private Sector contracts use NIST as their baseline.

  • NIST 800-53 - The organization:
    -provide security and privacy literacy training for new users and thereafter
    -includes practical exercises in security awareness training that simulate actual cyber attacks
    -includes "no-notice" social engineering or phishing tests of users
    -include measures that test the knowledge level of users
    -includes security awareness training on recognizing and reporting potential indicators of insider threat.
    -review and update the organization's awareness and training policy and procedures
    -documents and monitors information security and privacy training activities and retain individual records of performance
If you're an MSP and want to learn more, go check out how we work with Partners here. If you like what you see, book a time to chat!

Disclaimer: As you may have noticed, we aren't attorneys, so we do not offer any of the above as legal advice. We're here to empower your Security Awareness Training program! Please seek out counsel for specific compliance-related questions.