The PCI has released a brand new document on implementing an awareness program and it is really good.
While the IBM iSeries AS/400 comes out of the box with the industry's best security, employing requires active management. The PCI has developed the World Class "Best Proactices" standards from which you can build your strategy. Take advantage of the FREE resource.
In order for an organization to comply with PCI DSS Requirement 12.6, a formal security awareness program must be in place. There are many aspects to consider when meeting this requirement to develop or revitalize such a program. The best practices included in this information supplement are intended to be a starting point for organizations without a program in place, or as a minimum benchmark for those with existing programs that require revisions to:
- Meet PCI DSS requirements;
- Address the quickly and ever-changing data security threat environment;
- Reinforce the organization’s business culture.
Establishing and maintaining information-security awareness through a security awareness program is vital to an organization’s progress and success. A robust and properly implemented security awareness program assists the organization with the education, monitoring, and ongoing maintenance of security awareness within the organization.
This guidance focuses primarily on the following best practices:
- Organizational Security Awareness: A successful security awareness program within an organization may include assembling a security awareness team, role-based security awareness, metrics, appropriate training content, and communication of security awareness within the organization.
- Security Awareness Content: A critical aspect of training is the determination of the type of content. Determining the different roles within an organization is the first step to developing the appropriate type of content and will also help determine the information that should be included in the training.
- Security Awareness Training Checklist: Establishing a checklist may help an organization when developing, monitoring, and/or maintaining a security awareness training program.