Re: PCI Compliance End-User Training

[Eric Case <eric () ERICCASE COM>]

Dave,

I agree Don went a little far with his plug, but I would have to agree with
him that, "Most schools have created their own Security Awareness course
which is delivered to faculty and staff."  Do you have any numbers that show
most schools did not create they own security awareness course?  If they did
not build it themselves, where did they get their security awareness course?

In any case, I saved his post because it is good to know what my options
are.
-Eric


Eric Case, CISSP
eric (at) ericcase (dot) com
http://www.linkedin.com/in/ericcase
(520) 344-CISO (2476)



> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dave Koontz
> Sent: Monday, July 26, 2010 4:38 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] PCI Compliance End-User Training
>
>  Most schools have done this?  Really? Can you prove this?
>
> I tend to think most schools rely upon their campus policy and bank
> requirements to ensure that users are aware of their policy and have
> users sign off on them.  Sorry, but I don't think schools need to hear
> a
> sales pitch from you or your company to think they are compliant. (nor
> fear if they haven't bought your product).
>
> I still think the most "cost effective" thing for most of us is not
> allowing vendors into the EduCause lists.  Valied help is almost always
> a sales pitch when you get right down to it.  This is a perfect case in
> point.
>
> On 7/26/2010 7:14 PM, Don Cochran wrote:
> > Most schools have created their own Security Awareness course which
> is
> > delivered to faculty and staff. And I would assume most feel the
> awareness
> > course is sufficient for the required training under section 12 of
> the
> > PCI-DSS.  SCIPP International has taken it a bit further and has
> developed
> > industry specific modules which augment their foundation course which
> > addresses the uniqueness's of the differing sectors and their
> requirements.
> > SCIPP has an Education module which addresses FERPA, a healthcare
> module for
> > HIPAA Security and a HIPAA Privacy, a retail module for PCI, etc.
> etc...
> > We have also developed an on-line course which covers the principles
> of
> > secure coding and satisfies the training requirement found in section
> 6 of
> > the PCI-DSS which calls for the evidence of training on the OWASP
> Top-10
> > (Cross-site scripting, data injection, and the like).
> >
> > Our cost effective courses are the only ANSI accredited certificate
> courses
> > offered for security awareness training - more info can be found on
> our
> > website or by contacting us at info () scippinternational org
> >
> > Warm regards,
> >
> > Don Cochran
> > Director, Business Development
> > SCIPP International
> > 1964 Gallows Road, Suite 320
> > Vienna, Virginia 22182
> > United States of America
> >
> > +1 703.637.4422 (Direct)
> > +1 703.599-0666 (Cell)
> > +1 703. 637-4371 (Fax)
> > www.SCIPPinternational.org
> >
> >            SCIPP International
> > "The Security Awareness Certification Company"
> >
> >
> >
> > -----Original Message-----
> > From: The EDUCAUSE Security Constituent Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Aaron Sigmon
> > Sent: Monday, July 26, 2010 6:00 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: [SECURITY] PCI Compliance End-User Training
> >
> > Hey guys,
> >
> > What are you using for PCI Compliance End-User Training?  Are you
> > bringing in trainers, using a web-application/software, or just doing
> > it in-house?  If you are using trainers and/or webapps/software, are
> > there any you can recommend?
> >
> > Thanks,
> >
> > Aaron Sigmon
> > Information Systems Analyst III
> > ITS - Information Technology Services
> > Central Piedmont Community College
> > Office:  704-330-6141
> > Mobile:  704-363-7577

Attachment: smime.p7s
Description: