Security Awareness & Compliance

Security Awareness & Compliance
Why Security Awareness Training?
We are Here to Help!
Where Do We Start?
Industry-Specific Guidance on Security Awareness Training
Financial Services & Banking
Insurance
Healthcare
Education
Retail & Credit Card Processing
Architecture, Construction & Engineering (A/C/E)

This guide was created to help you navigate industry-specific guidance on Security Awareness Training requirements.

Why Security Awareness Training?

Because it is part of what regulators, cyber insurance providers, partners, and clients require you to do to meet compliance standards. And as an MSP, you need to understand which compliance regulations apply.

We are Here to Help!

We are here to simplify the process, provide expert guidance, and ensure your program meets industry standards with confidence. Whether you’re deciphering regulations, selecting the right training content, or ensuring continuous employee engagement, we’ve got your back every step of the way. Let’s build a security-conscious culture together!

As you read through this article and realize you need customized guidance or that we are missing your industry, reach out to us at hello@infimasec.com. We’ll help you stay compliant and ensure your Security Awareness Training program meets industry standards!

Where Do We Start?

One of the most widely recognized cybersecurity frameworks comes from NIST (National Institute of Standards and Technology). NIST developed the Cybersecurity Framework (CSF) to offer comprehensive guidance across industries and security layers.

NIST highlights Security Awareness Training as a critical part of any cybersecurity program. According to NIST, organizations must ensure that "personnel and partners receive cybersecurity awareness education and are trained to perform their cybersecurity-related duties and responsibilities in alignment with relevant policies, procedures, and agreements."

Industry-Specific Guidance on Security Awareness Training

Unfortunately, NIST is just one of many governing bodies providing cybersecurity guidance. To develop the most effective training program for your business, it's essential to consider industry-specific regulations and requirements from multiple regulatory authorities.

Cybersecurity compliance is not one-size-fits-all—each industry has unique regulations mandating ongoing security awareness training for employees. Below, we outline key industry standards to help ensure your organization remains compliant and well-protected.

Financial Services & Banking

FINRA (Financial Industry Regulatory Authority): Requires cybersecurity training for all employees at onboarding and at least annually thereafter to ensure users understand their responsibilities in protecting a firm's systems and information.
SEC (U.S. Securities and Exchange Commission): Mandates firms provide written security guidelines and periodic training on information security risks and responsibilities.
GLBA (Gramm-Leach-Bliley Act): Mandates that education and financial institutions implement measures to protect the security, confidentiality, and integrity of customer information, including security awareness training.
NY DFS (New York Department of Financial Services): Requires regular cybersecurity awareness training for all personnel, updated to reflect risks identified in the entity's Risk Assessment.

Insurance

The NAIC Insurance Data Security Model Law (Model 668) establishes standards for data security, including requirements for cybersecurity awareness training. Employees must receive ongoing training tailored to evolving cybersecurity risks identified by the organization.

Healthcare

HIPAA (Health Insurance Portability and Accountability Act) mandates that covered entities implement a security awareness and training program for all workforce members, including management. Training must be documented and regularly updated.

Education

PTAC (Privacy Technical Assistance Center) offers guidance on safeguarding student privacy, including best practices for data security and management. Training must be comprehensive, covering all employees, contractors, and volunteers with access to personally identifiable information (PII).

Retail & Credit Card Processing

PCI-DSS (Payment Card Industry Data Security Standard) outlines specific requirements for security awareness training to protect cardholder data. Organizations must implement a formal security awareness program to ensure all personnel are aware of the importance of cardholder data security.

Architecture, Construction & Engineering (A/C/E)

Many contracts reference NIST 800-53 as a cybersecurity baseline. Organizations must provide security training for all new employees and conduct ongoing training, including hands-on cybersecurity exercises simulating real-world attacks.

Disclaimer: Our attorneys insist we remind you that none of the above constitutes legal advice, and all services are governed by our Terms of Service and End User License Agreement, which may be updated with or without notice.