PCI embraces security awareness

The PCI Security Standards Council's Security Awareness Program Special Interest Group has released an 'information supplement' to PCI-DSS, suggesting an awareness approach that is remarkably similar to ours.

Best Practices for Implementing a Security Awareness Program is a well-written guide elaborating on four key ideas:

1) Security awareness is a vital tool supporting the business. "It is therefore vital that organizations have a security awareness program in place to ensure employees are aware of the importance of protecting sensitive information, what they should do to handle information securely, and the risks of mishandling information." [We go further in emphasizing the business value of information security, for example giving management confidence that information assets will be sufficiently well protected when exploring new business opportunities.]

2) Security awareness is best delivered on a continual basis, all-year-round. "Security awareness should be conducted as an on-going program to ensure that training and knowledge is not just delivered as an annual activity, rather it is used to maintain a high level of security awareness on a daily basis." [Absolutely! Our monthly deliveries are explicitly intended to support the continuous, rolling approach to awareness.]

3) Security awareness should address three audience groups, namely all personnel (with the aim of making security a habit), plus managers and personnel in 'specialized roles' meaning those who work directly with card holder data (both of whom need additional information/guidance). [Our three streams address personnel in general, managers and specialists with a professional interest in information security.]

4) Security awareness content needs to be delivered through a variety of suitable mechanisms throughout the organization, implying that over-reliance on a single channel (such as email, posters or the intranet) is less than ideal. [Our monthly modules deliver 20-30 different formats of material, all consistent, covering the same subject area, at the same high level of quality, and fully customizable. Our customers have enormous flexibility in their approach to awareness, while we support awareness programs at every stage of maturity from the basics to the most advanced.].

The remainder of the guide is not quite as impressive. It goes on to suggest the awareness topics, diving into the specific information requirements relating to PCI (alone). "It is recommended that general security training for all personnel include defining what constitutes cardholder data (CHD) and sensitive authentication data (SAD) and the organization’s responsibility to safeguard both. A high level overview of the importance of the PCI DSS may also be included; to ensure personnel fully understands the purpose behind an organizational policy to safeguard cardholder data. To ensure all personnel are engaged stakeholders in the security awareness program, the roles and responsibilities of all staff to protect CHD and SAD should be outlined during all security awareness training, in accordance with organizational policy." The guide mentions need to protect all forms of information (not just computer data, media and systems), to address social engineering, and to make personnel aware of policies and procedures. [We cover more than just PCI. We take a far broader perspective on information security because many information assets (not just credit card details!) are highly valuable to the organization, and all of them deserve or require adequate protection. Furthermore, the organization's information security-related compliance obligations go well beyond PCI-DSS. As far as we and our customers are concerned, PCI is just one of many obligations - merely the tip of the iceberg.]  

The guide also suggests some metrics, divided into two groups. The "Operational metrics" groups appears to be a random and incomplete assortment of security control objectives (labelled "Metrics") and measures (labelled "Training effectiveness indicators"): neither are much good, in my opinion, since they don't directly and obviously relate to business objectives. For example, "Reduced system downtime and network or application outages" is clearly a technical/IT objective, whereas the corresponding business objective (presumably something like "Highly available IT systems and networks suporting critical business activities") remains unstated, while the suggested measure "Consistent, approved change-management processes; fewer malware outbreaks; better controls" is merely another incomplete set of technical objectives. The other group, "Training program metrics" barely even relate to the objectives of the awareness program stated earlier in the guide. All in all, I highly recommend skipping the metrics section completely. [Read my book PRAGMATIC Security Metrics instead!] 

There are a few references in the guide for further information. Despite us having been doing this stuff consistently since 2003, I can understand them not even mentioning us but it is very disappointing that Rebecca Herold's bible on security awareness was not cited ... which seriously leads me to wonder about the Special Interest Group which produced the guide. Surely someone among the august group of 100 or so organizations has read Rebecca's book and seen the light? Or are they all still floundering along in the dark?  :-)