Regulatory Requirements for Information Security Awareness and Training
Many organizations are developing a security awareness program in response to legal or regulatory requirements.
Following is a partial list of the numerous federal, state and international
regulations that include security awareness and
training as part of the data protection requirements.
Certain regulations are very specific about the requirements for security awareness and training.
Others simply require safeguards that are "appropriate" for the size and type of organization.
In these cases, enforcement agencies and auditors
must defer to accepted best practices or frameworks for guidance.
Examples of these frameworks are the
Control Objectives for Information Technology (COBIT®),
ISO/IEC 17799:2005 (now ISO 27002), and the OECD Privacy Principles.
Regulatory Requirements for Awareness and Training
| Regulation/Framework |
Industry/Country |
Awareness/Training Requirement |
| HIPAA (Health Insurance Portability and Accountability Act of 1996) |
Healthcare (U.S.) |
Security Final Rule
164.308 (a)(5)(i) (R) Implement a security awareness and training program for all members of its workforce (including management).
|
| ISO/IEC 17799:2005
Section 8.2.2 Information security awareness, education, and training
|
Security Framework
(International) |
All employees of the organization and, where relevant, contractors and third party users should
receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function. |
| Sarbanes-Oxley Act, Section 404 Based on COBIT ™ (Control Objectives for Information Technology)
|
All Publicly Traded Companies (U.S) |
DS 7.2 Delivery of Training and Education
[…] Appoint trainers and organise training sessions on a timely basis. Registration attendance and performance evaluations should be recorded.
|
| Chemical Sector Cyber Security Program
|
Chemical Sector (U.S.) |
5.15 Staff Training and Security Awareness
Effective cyber security training and security awareness programs should
provide each employee with the information necessary to identify, review and remediate control
exposures. |
| Gramm-Leach-Bliley Act (GLBA) Title V - Section 501 |
Financial Services (U.S.) |
Safeguards Rule 314.4:
“ (b) Identify reasonably foreseeable internal and external risks […] including - (1) Employee training and management.” |
| FERC Cyber Security Standard CIP-004-1: Personnel & Training |
Energy/Infrastructure (U.S.) |
"R1. Awareness - The Responsible Entity shall establish, maintain, and document a security awareness program […]. The program shall include security awareness reinforcement on at least a quarterly basis […]" |
| Federal Information Security Management Act (FISMA) NIST SP 800-26 |
Federal Government (U.S.) |
“(a) The head of each [Federal] agency shall …
(4) Establish security awareness training to inform all personnel, including contractors and other users of information systems […] of (a) Determining the risks associated with their activities, and (b) knowing their responsibilities in complying with agency policies and procedures designed to reduce these risks;
” |
| PIPEDA (Bill C6) - Personal Information Protection and Electronic Document Act |
All Industries (Canada) |
Principle 4.1.4 -
Organizations shall implement policies and practices to give effect to the principles, including [...]
(c) Training staff and communicating to staff information about the organizations policies and practices.
|
See our security awareness resource page for more information on building a security and privacy
awareness program.
