Adapting Awareness Training for Evolving Compliance Demands

Article Online Training
Compliance Training

 
With cybersecurity and compliance standards continuously evolving to match the growing threat landscape, organizations must provide up-to-date awareness training that meets basic security requirements and addresses the most critical risks within your environment. Faced with resource constraints and time limitations, how can your teams ensure that training is current and updated to comply with new requirements for PCI DSS v4.0, the updated FTC Safeguards Rule, updated HIPAA Security Rule, and many more?

To help assess your organization’s training needs, the table below outlines some of the common compliance standards and specific training requirements for staff:

Compliance Training Requirements
Standard Staff Training Requirement

Information Security

All staff

Annually/ongoing (state requirements, NIST/ISO, cybersecurity insurance).

PCI DSS v4.0

All staff involved in the payment card process

Security awareness at hire, annually thereafter. Training on the POI, device inspections, social engineering, phishing, acceptable use, and incident response. Refreshed annually.

GLBA/Safeguards Rule

All staff interacting with covered customer financial data

Provide specific training around the risks identified in your annual risk assessment, Training must be kept up to date. Security team must maintain knowledge relevant to threat landscape.

HIPAA

All individuals accessing PHI data

All staff must receive training under the Privacy and Security Rule. Organization must document training materials and workforce completion.

CMMC

All individuals accessing sensitive unclassified data (i.e. research data)

Organizational system users are to be trained on the specific risks associated with their use of in-scope systems. Training should include how to recognize potential threats (insider threats, social engineering, etc.).

FACTA Red Flags

All staff interacting with consumer data and covered accounts

Training should be part of your Identity Theft Prevention Program, teaching employees how to identify red flags, prevent and mitigate identity theft.

FERPA

All faculty/staff with access to student records

Training of the requirements relating to the privacy and security of Personally Identifiable Information (PII) in student records.

An EDUCAUSE quick poll revealed that 61% of participants believe training is only somewhat effective within their college or university. Participants reported that training programs were incomplete as they are often missing content about key issues, specific types of compliance, and/or regional or state regulations. Respondents also said training lacked updates and was seen as boring or overly long and complicated. Read our article for more insight into this poll, our key takeaways from it, and elements of a successful security awareness training program.

Don’t provide boring, check-the-box training. And don’t launch outdated training that references statistics from 2019! Training programs should be adaptable, ongoing, and regularly refreshed to stay up to date and ahead of the bad guys. It is also important to provide role-based training when possible so information can be targeted and include relevant information for specific groups or departments.

For example: PCI training for merchant managers is different than training for student cashiers which is different for IT staff responsible for securing systems and implementing technical controls, etc. The Business Office might receive more focused training on ACH payment fraud or email compromise attacks, whereas the Help Desk should receive additional training on potential vishing or phishing attacks.

Lessons learned should also include real-world examples or stories of organizations that have been impacted. For example, you might illustrate how a response to a single phishing email led to a larger data breach or ransomware attack at another institution. If training can be customized to align with operational procedures, this ensures that your overall messaging and instruction are consistent.

Provide direct links to policies within the training, and confirm staff knows how and where to find specific policies and procedures concerning acceptable use, approved technologies, privacy and data governance, etc. If users can tie everything together with consistent messaging, your awareness training can reinforce adherence to organizational procedures and reduce the likelihood of non-compliance.
Ultimate Guide to Elevate Your Security Awareness Training Program

If you have questions regarding your current training requirements or need to define which users within your organization should be receiving training, reach out to your dedicated CRM team or contact us.

You can also download our guide to Elevate Your Security Awareness Training.

Share

About the Author
Katie Johnson

Katie Johnson

PCIP

Manager, Operations Support

As the manager of Operations Support, Katie leads the team responsible for supporting and delivering CampusGuard services including online training, vulnerability scanning, and the CampusGuard Central® portal. With over 15 years of experience in information security awareness training, Katie is also the Product Lead for CampusGuard’s online training services. As a Senior Customer Relationship Manager for a limited number of customers, Katie assists organizations with their information security and compliance programs and is responsible for coordinating the various teams involved.

Related Content