Annual Security Awareness program

[Nick Duda <nduda () VistaPrint com>]

While some will argue about its true effectiveness, we have an obligation under PCI DSS 12.6.1b , "Do employees attend 
security awareness training upon hire and at least annually?". We have a program in place for new hires, they sit 
through about a 1 hour session with a member of the InfoSec team, where we go over a PPT with common security related 
issues. We are now required to have annual training for all employees. My question is, How do companies with 
hundred/thousands of employees perform this to meet PCI DSS requirements? I've heard about online programs, but this 
just seems like a waste of time (but may satisfy PCI DSS). The floor is open for discussion and recommendation on how 
an annual awareness session can be held for hundreds+ employees.

Thanks in advance.

Regards,
Nick Duda
Manager, Information Security
GIAC GSEC | GCIH


------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Find the source of cybercrime! Almost every crime today involves a computer or mobile device. Learn how to become a 
Computer Forensics Examiner in InfoSec Institute's hands-on Computer Forensics Course. Up to three industry recognized 
certs available, online computer forensics training available.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
------------------------------------------------------------------------