Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Information Security and Privacy Education Lesson Fines And Court Penalty Judgments | Main | FISA Change Gives Telecoms Immunity; Headaches Ahead For Businesses? »

Laws & Regulations Require Security & Privacy Training & Awareness

I'm in the final weeks of creating some privacy breach training courses that will not only help personnel to prevent privacy breaches, but also help support compliance with the FACTA Red Flags rule, the at least 45 U.S. privacy breach notice laws, plus many other laws and regulations.

Over the past decade+ there have been a large number of laws, regulations and industry standards that have specifically stated the need for organizations to provide information security and privacy training and awareness to their personnel.

It would seem to be a no-brainer for organizations to provide this type of education to their personnel, but sadly many business leaders error on the side of ignorance for their staff in an effort to save a comparative penny or two. Another significant group of executive leaders just don't get the importance of providing this education to their personnel, and it doesn't sink into their heads that you cannot expect workers to know how to safeguard information if you do not tell them how.

Lawmakers have seen these dangerous business-leader tendencies, and thus came the legal requirements for education.

If education was not legally required, a significant portion of business leaders would not provide information security and privacy education.

As I mentioned yesterday, my July issue of "IT Compliance in Realtime" focuses on the importance of information security and privacy training and awareness to not only improve security, but also to meet a very wide range of compliance requirements. The first article in this month's Journal is, "Information Security and Privacy Education Support Compliance." Download the PDF of the full Journal issue for the formatted, best-looking version.

Here is the next section from that article...

________________________________________________

Laws and Regulations Requiring Education

There are many laws and regulations that require personnel education, which includes training and awareness activities. Table 1 provides a quick reference with the italicized verbatim excerpts of the educational requirements from a few of these laws and regulations. There are many more, but this provides a good example of the many ways in which laws and regulations require information security and privacy education.
Many of the laws and regulations do not explicitly use the words "train" or "aware." However, when laws and regulations indicate that organizations must "promulgate," "provide information," "instruct," and ensure information is "made known," this generally means that organizations must effectively provide education.

[Table showing 11 U.S. laws and regulations and each of the corresponding educational directives. Download the PDF to see the full table.]

Training and awareness regulatory and legal requirements are not limited to the U.S.; there are many other data protection laws throughout the world that have similar requirements. The bottom line is that it is best for business and for establishing a culture of information security and privacy to provide regular training and ongoing awareness communications and activities.

________________________________________________

Thoughts? Feedback? Let me know!

Tags:                      
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on July 9, 2008 11:28 AM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/759

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.