Cybersecurity at Work: Audits That Require Security Awareness Training

by Amelia Lewis / October 29th, 2021

It is Cybersecurity Awareness Month! Every October we are reminded of the potential threats that are up against our cybersecurity. It is no surprise that employees make their way to the top of the vulnerability lists each year. It is time we created a culture of cybersecurity in the workplace.

Employees are often an organization’s weakest link. Whether it be the lack of funding or misunderstanding of cybersecurity best practices, security awareness training often becomes an afterthought. The reality is that security awareness training is a vital part of your cybersecurity that cannot go without doing. If there is even one person naive of cybersecurity best practices, they could unknowingly compromise the integrity of your security and dismantle your business processes. There is an endless number of ways this can happen, whether it be someone failing to recognize a phishing attempt, recycling weak passwords, not properly disposing of sensitive documents, neglecting company-wide security policies, or falling victim to any other attack tactics, techniques, and procedures (TTPs) of malicious hackers.

To battle the outbreak of human error in cybersecurity, many information security frameworks and regulations have made security awareness training a requirement.

  • What are the security awareness training requirements from each framework?
  • What does your organization need to do to ensure compliance with these standards?
  • How can security awareness training offer you peace of mind?

What Do Common Frameworks Require for Security Awareness Training?

  • SOC 2

    • AICPA (American Institute of Certified Public Accountants) explains that to earn compliance with common criteria 2.2, entities must “communicate information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.”
  • ISO 27001/27002

    • According to Requirement 8.2.2 of ISO 27001, “All employees of the organization and, where relevant, contractors and third-party users should receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function.”
  • PCI DSS

    • According to requirement 12.6 of the PCI (Payment Card Industry) DSS (Data Security Standard), entities must implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.
  • NIST 800-53

    • According to requirement AT-2, an organization is responsible for “providing basic security awareness training to information system users.” There are also two control enhancements that encourage the practical exercise of insider and outsider cyber-attack simulations.
  • HIPAA Security Rule

    • According to the administrative safeguard, 45 CFR 164.308(a)(5), covered entities and business associates must “implement a security awareness and training program for all member of its workforce.”
  • HIPAA Privacy Rule

    • According to administrative requirements under the HIPAA Privacy Rule, 45 CFR 164.530(b)(1) says, “A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information… as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.”
  • GDPR

    • According to article 39(1)(b), Data Protection Officers are responsible for “monitoring compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising, and training of staff involved in processing operations, and the related audits…”
  • FISMA

    • According to U.S.C. 3544. (b). (4). (A), (B) under FISMA, entities are required to implement “security awareness training to inform personnel, including contractors and other users of information systems that support the operations and assets of the agency, of information security risks associated with their activities and their responsibilities in complying with agency policies and procedures designed to reduce these risks.”

Prepare Your People for Cyber Threats

How can the regular training of your employees be a critical component of your organization’s compliance and security? It can have everything to do with it. By offering these resources to your employees you are ensuring that they are aware of your company’s cybersecurity policies and industry’s best practices. Security awareness training can help minimize your organization’s risk of a data breach, thus protecting your sensitive company data and your brand reputation. Security awareness training costs less than 1% of what the average breach costs, this makes the regular training of your employees worth the investment 100 times over.

About the Author

Amelia Lewis

Amelia Lewis is a Marketing Associate at KirkpatrickPrice with a degree in Integrated Marketing Communication from Harding University. Amelia develops brand and content marketing strategies that aim to help organizations become unstoppable in their cybersecurity goals.