RE: Annual Security Awareness program

["G Michael Runnels" <gmrunnels () ev1 net>]

To all,

At my university (6200 faculty/staff, we're not counting students), our
bursar's office identified those departments with merchant identifiers.  I
then contacted each department POC and got a list of those who fall under
the auspices of the PCI DSS (approximately 80); we felt making *everyone*
take it would be unnecessary and aggravating.  I used the latest PCI DSS
checklist and SAQs and developed a training module using Flash, and then
loaded that into our learning management system.  We tie continued access to
the university network to them completing this training.  Everyone has to do
it within 60 days of notification; since this is a brand new program (I just
rolled it out last week), I haven't sent the annual parameters yet.  If we
didn't already have the learning management system in place, I'm not sure
how we would have done it.

As a side question, how many of you have learning management systems in your
organization?

Thanks tons,

Mike R

G Michael Runnels, CISSP
CISM CHSP GSEC MCSE BSEE
Information Security Officer

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Nick Duda
Sent: Tuesday, March 17, 2009 10:56 AM
To: 'security-basics () securityfocus com'
Subject: Annual Security Awareness program

While some will argue about its true effectiveness, we have an obligation
under PCI DSS 12.6.1b , "Do employees attend security awareness training
upon hire and at least annually?". We have a program in place for new hires,
they sit through about a 1 hour session with a member of the InfoSec team,
where we go over a PPT with common security related issues. We are now
required to have annual training for all employees. My question is, How do
companies with hundred/thousands of employees perform this to meet PCI DSS
requirements? I've heard about online programs, but this just seems like a
waste of time (but may satisfy PCI DSS). The floor is open for discussion
and recommendation on how an annual awareness session can be held for
hundreds+ employees.

Thanks in advance.

Regards,
Nick Duda
Manager, Information Security
GIAC GSEC | GCIH


------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Find the source of cybercrime! Almost every crime today involves a computer
or mobile device. Learn how to become a Computer Forensics Examiner in
InfoSec Institute's hands-on Computer Forensics Course. Up to three industry
recognized certs available, online computer forensics training available. 

http://www.infosecinstitute.com/courses/computer_forensics_training.html
------------------------------------------------------------------------




------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Find the source of cybercrime! Almost every crime today involves a computer or mobile device. Learn how to become a 
Computer Forensics Examiner in InfoSec Institute's hands-on Computer Forensics Course. Up to three industry recognized 
certs available, online computer forensics training available. 

http://www.infosecinstitute.com/courses/computer_forensics_training.html
------------------------------------------------------------------------