Sarbanes Oxley : Technology : PCI
PCI Guidance On Security Awareness Programs on the Mark
November 6, 2014 02:30 PM
PCI DSS’s new security awareness guidelines give an accurate and thorough nod to effective best practices for security awareness training.
KnowBe4 announced its support of the Payment Card Industry Council’s efforts to implement its standards through Security Awareness Training. In fact, the PCI Council thinks Security Awareness Training is so important, they just published a 25-page guidance paper that fully explains the what, why and how of these programs, making it very clear that in order for an organization to comply with PCI DSS Requirement 12.6, a formal security awareness program must be in place.
KnowBe4 CEO Stu Sjouwerman said, “I was happy to read the guidelines, because they got it totally right. The PCI Security Standards Council took their time, discussed with their Special Interest Group (SIG) and came out with a well thought-through, measured and actionable guide that helps you to get a program in place. This will help companies educate users on how to effectively protect themselves from security threats like ransomware and social engineering.”
The PCI Security Standards Council (PCI SSC) was founded in 2006 by payment card companies American Express, MasterCard, Visa, Discover and JCB International, and was tasked with educating merchants and other involved parties handling cardholder data, on the PCI Data Security Standard (PCI DSS), so that compliance could and would be enforced more easily.
Troy Leach, the CTO of PCI SSC, said in a statement. "PCI Standards emphasize the importance of people, process and technology when it comes to protecting payment information. This guidance can help businesses focus on the 'people' part of the equation and build a greater culture of security awareness and vigilance across their organizations.”
A single section of the guideline highlights the key message: "One of the biggest risks to an organization’s information security is often not a weakness in the technology control environment. Rather it is the action or inaction by employees and other personnel that can lead to security incidents—for example, through disclosure of information that could be used in a social engineering attack, not reporting observed unusual activity, accessing sensitive information unrelated to the user’s role without following the proper procedures, and so on."
Sjouwerman further stated, “It is encouraging to see that using KnowBe4's Kevin Mitnick Security Awareness Training program allows our customers to fully comply with the PCI requirements. If only Home Depot had been listening.”
For a copy of the guidelines:
About Stu Sjouwerman and KnowBe4
Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, LLC, which provides web-based Security Awareness Training (employee security education and behavior management) to small and medium-sized enterprises. A data security expert with more than 30 years in the IT industry, Sjouwerman was the co-founder of Inc. 500 company Sunbelt Software, an award-winning anti-malware software company that he and his partner sold to GFI Software in 2010. Realizing that the human element of security was being seriously neglected, Sjouwerman decided to help entrepreneurs tackle cybercrime tactics through advanced security awareness training. KnowBe4 services hundreds of customers in a variety of industries, including highly-regulated fields such as healthcare, finance and insurance and is experiencing explosive growth with a surge of 427% in 2013 alone. Sjouwerman is the author of four books, with his latest being Cyberheist: The Biggest Financial Threat Facing American Businesses.
About Kevin Mitnick
Kevin Mitnick is an internationally recognized computer security expert with extensive experience in exposing the vulnerabilities of complex operating systems and telecommunications devices. He gained notoriety as a highly skilled hacker who penetrated some of the most resilient computer systems ever developed. Today, Mitnick is renowned as an information security consultant and speaker, and has authored three books, including The New York Times best seller Ghost in the Wires. His latest endeavor is a collaboration with KnowBe4, LLC.