Security Basics mailing list archives
RE: Annual Security Awareness program
From: "G Michael Runnels" <gmrunnels () ev1 net>
Date: Wed, 18 Mar 2009 20:52:41 -0600
To all, At my university (6200 faculty/staff, we're not counting students), our bursar's office identified those departments with merchant identifiers. I then contacted each department POC and got a list of those who fall under the auspices of the PCI DSS (approximately 80); we felt making *everyone* take it would be unnecessary and aggravating. I used the latest PCI DSS checklist and SAQs and developed a training module using Flash, and then loaded that into our learning management system. We tie continued access to the university network to them completing this training. Everyone has to do it within 60 days of notification; since this is a brand new program (I just rolled it out last week), I haven't sent the annual parameters yet. If we didn't already have the learning management system in place, I'm not sure how we would have done it. As a side question, how many of you have learning management systems in your organization? Thanks tons, Mike R G Michael Runnels, CISSP CISM CHSP GSEC MCSE BSEE Information Security Officer -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Nick Duda Sent: Tuesday, March 17, 2009 10:56 AM To: 'security-basics () securityfocus com' Subject: Annual Security Awareness program While some will argue about its true effectiveness, we have an obligation under PCI DSS 12.6.1b , "Do employees attend security awareness training upon hire and at least annually?". We have a program in place for new hires, they sit through about a 1 hour session with a member of the InfoSec team, where we go over a PPT with common security related issues. We are now required to have annual training for all employees. My question is, How do companies with hundred/thousands of employees perform this to meet PCI DSS requirements? I've heard about online programs, but this just seems like a waste of time (but may satisfy PCI DSS). The floor is open for discussion and recommendation on how an annual awareness session can be held for hundreds+ employees. Thanks in advance. Regards, Nick Duda Manager, Information Security GIAC GSEC | GCIH ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Find the source of cybercrime! Almost every crime today involves a computer or mobile device. Learn how to become a Computer Forensics Examiner in InfoSec Institute's hands-on Computer Forensics Course. Up to three industry recognized certs available, online computer forensics training available. http://www.infosecinstitute.com/courses/computer_forensics_training.html ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Find the source of cybercrime! Almost every crime today involves a computer or mobile device. Learn how to become a Computer Forensics Examiner in InfoSec Institute's hands-on Computer Forensics Course. Up to three industry recognized certs available, online computer forensics training available. http://www.infosecinstitute.com/courses/computer_forensics_training.html ------------------------------------------------------------------------
Current thread:
- Annual Security Awareness program Nick Duda (Mar 17)
- RE: Annual Security Awareness program Corey Bobb (Mar 17)
- RE: Annual Security Awareness program G Michael Runnels (Mar 19)
- <Possible follow-ups>
- Re: Annual Security Awareness program vupadhyaya (Mar 19)
- Re: RE: Annual Security Awareness program viveksilla (Mar 19)
- RE: RE: Annual Security Awareness program Jason Hurst (Mar 19)
- Re: RE: Annual Security Awareness program Meenal Mukadam (Mar 24)
- RE: RE: Annual Security Awareness program Jason Hurst (Mar 19)