Security Basics mailing list archives
RE: Annual Security Awareness program
From: Corey Bobb <cbobb () accesso com>
Date: Tue, 17 Mar 2009 15:38:33 -0500
We are not a big company, but for our compliancy, we have used an annual signoff on the acceptable usage policy and within that document we put "Security Awareness" information that is designed to inform the users of various security related issues as they apply to our environment. According to our QSA that is an acceptable means of annual training. Corey M. Bobb Accesso Director Network Services -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Nick Duda Sent: Tuesday, March 17, 2009 12:56 PM To: 'security-basics () securityfocus com' Subject: Annual Security Awareness program While some will argue about its true effectiveness, we have an obligation under PCI DSS 12.6.1b , "Do employees attend security awareness training upon hire and at least annually?". We have a program in place for new hires, they sit through about a 1 hour session with a member of the InfoSec team, where we go over a PPT with common security related issues. We are now required to have annual training for all employees. My question is, How do companies with hundred/thousands of employees perform this to meet PCI DSS requirements? I've heard about online programs, but this just seems like a waste of time (but may satisfy PCI DSS). The floor is open for discussion and recommendation on how an annual awareness session can be held for hundreds+ employees. Thanks in advance. Regards, Nick Duda Manager, Information Security GIAC GSEC | GCIH ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Find the source of cybercrime! Almost every crime today involves a computer or mobile device. Learn how to become a Computer Forensics Examiner in InfoSec Institute's hands-on Computer Forensics Course. Up to three industry recognized certs available, online computer forensics training available. http://www.infosecinstitute.com/courses/computer_forensics_training.html ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Find the source of cybercrime! Almost every crime today involves a computer or mobile device. Learn how to become a Computer Forensics Examiner in InfoSec Institute's hands-on Computer Forensics Course. Up to three industry recognized certs available, online computer forensics training available. http://www.infosecinstitute.com/courses/computer_forensics_training.html ------------------------------------------------------------------------
Current thread:
- Annual Security Awareness program Nick Duda (Mar 17)
- RE: Annual Security Awareness program Corey Bobb (Mar 17)
- RE: Annual Security Awareness program G Michael Runnels (Mar 19)
- <Possible follow-ups>
- Re: Annual Security Awareness program vupadhyaya (Mar 19)
- Re: RE: Annual Security Awareness program viveksilla (Mar 19)
- RE: RE: Annual Security Awareness program Jason Hurst (Mar 19)
- Re: RE: Annual Security Awareness program Meenal Mukadam (Mar 24)
- RE: RE: Annual Security Awareness program Jason Hurst (Mar 19)