If you've had to manage a PCI-DSS compliance framework, you know that having to manage the security awareness training requirements takes someone who is diligent and dedicated to the effort to be successful. In fact, if you've done it before you know the first "lift" to a get Security Awareness Program stood up can be a production but usually goes well because people are engaged in the novelty of the effort. However once the Security Awareness Program is established the process and routine of keeping content fresh can be sometimes be after thought especially for small Security Teams. Below I've outlined the PCI-DSS Security Awareness Program requirements with some suggestions to streamline the effort for your teams.
PCI DSS Security Training Requirement:
6.5 Address common coding vulnerabilities in software-development processes as follows:
Train developers in secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory.
Suggestion for streamlining--Your time is valuable and if you have a small team you probably don't have many AppSec professionals, look to a Computer Based Training (CBT) or Learning Management System (LMS) system to deliver secure coding training. Companies such as Cigital offer up to date CBT training on secure coding.
9.9.3 Provide training for personnel to be aware of attempted tampering or replacement of devices.
• Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.
• Do not install, replace, or return devices without verification.
• Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices).
• Report suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer).
Suggestion for streamlining--Same as 6.5 above, look to CBT's or LMS's if you can, such as Wombat Security. Alternatively, I've seen canned security awareness training content delivered successfully by HR or Education staff during new hire orientation.
12.6 Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security.
12.6.1 Educate personnel upon hire and at least annually.
12.6.2 Require personnel to acknowledge at least annually that they have read and understood the security policy and procedures.
Suggestion for streamlining--If you can leverage the team responsible for onboarding new employees to deliver new hire security training. To track annual policy user attestations and certification tools such as Lockpath Keylight Compliance Manager will help to automate these processes.
12.10.4 Provide appropriate training to staff with security breach response responsibilities.
Suggestions for streamlining--This one is tough to streamline and still do it right. Most Incident Response teams will conduct tabletop exercises with a cross functional core team responsible for being the point of contact and quarterbacking the response within their respective teams. While challenging to streamline, you can each member of the core team bring an actual incident they faced or one they are worried about to the table top exercise to help take some the responsibility off Security and Compliance teams to drive the table top event.
Conclusion
There's a lot of ways to approach Security Awareness and fulfill the PCI-DSS training requirements. There are a few things to keep in mind as you undertake this effort, and I suspect your budget will factor into your decision on how to build your Security Awareness Program. The one very important goal here is to establish a sustainable Security Awareness Program by reducing the overhead of program maintenance. You can reduce the overhead to internal staff of maintaining a security awareness training program via a couple ways, the first way to find a common denominator between your scope of compliance frameworks or regulations that require some form of Security Awareness (e.g. NIST 800-53, HIPAA, etc); think of it as hitting multiple requirement birds with one training stone. The next thing to consider is your time and the time of your team is valuable, probably more valuable than building training materials--companies like Cigital and Wombat Security provide computer based training (CBT) to meet various security awareness needs. It's important to find a CBT partner who keeps their content up to date with the newest threats and security techniques--once you find that CBT partner they will track user completion and success rates so when your PCI assessor asks for training records it's as simple as printing a report.
