PCI Compliance – The Golden Rules of User Awareness

By Tara Hutton

September 5, 2008

Industry experts have predicted that only 10% of companies have actually achieved PCI Compliance, despite the deadline coming and going. The other 90% are, according to the card providers “committed to achieving compliance.” So what are the missing elements, what have companies not yet addressed in the drive for PCI Compliance?

Log on to any PCI Forum or discussion board and you will find questions and answers on the toughest or most critical elements of PCI Compliance; requirements 1, 3, 10 and others are oft mentioned, however there is little discussion on the importance of Requirement 12. This is surprising, in light of the fact that in 2007/2008, a bumper year for data breaches, the majority of high profile data security breaches have been singularly attributed to human error.

And it’s official. Recent reviews of governmental data breaches, such as the Poynter Review and Sir Gus O’Donnell’s review on Data Security in Government, all point to the same thing; a lack of user awareness is a key factor in poor IT security. These reports talk about “cultural failure…. an all pervasive management mess.” and “…an absence of proper awareness and training among staff and confusion on the ownership and guardian of data.” Indication enough that in order to get your PCI Compliance house in order, you must include your users from the outset.

The Golden Rules of User Awareness in PCI Compliance. 

Even the most security conscious organisation must rely on staff to uphold their IT Security posture, and these staff can, and will, make mistakes. After all, they are only human. This is the very reason why Requirement 12: Maintain a Policy That Addresses Information Security for Employees and Contractors, is so critical to PCI Compliance, and indeed any IT Security programme. So, how can organisations ensure a robust user awareness programme that complements all compliance activities and improves the security posture of the organisation?  According to Stephen Edwards, Compliance Risk Partner at Legal Firm Stuarts Finlay, there are 5 golden rules that a company should follow to ensure that user awareness programmes have a positive impact on IT Security:

1. In order to ensure effectiveness, user accountability must be delivered through self certification;
   
2. All users must be included in awareness programmes, including 3^rd party and remote workers;
   
3. IT Security posture and user awareness levels must be regularly measured through automated risk assessments;
   
4. Organisations must be able to demonstrate compliance via an aggregated, secure audit and reporting system;
   
5. An automated, repeatable process is the key to Sustainability of Compliance.

Robbie O’Brien CEO of Baronscourt, and expert on Automated Compliance agrees.  He feels that , ‘The key to best practise PCI Compliance is an ongoing, interactive communication process with the user.” In other words, a company can use valuable resources ensuring that all elements of PCI DSS are met, but without a robust, sustainable user awareness programme, companies are at risk of security breaches stemming from that most dangerous of threats, the insider. Fundamentally, IT Security is about processes and people. People must be properly trained in order to ensure the right culture of governance is in place. 

Join Baronscourt for a 30 minute webcast on How to Deliver User Awareness to Ensure Best Practise PCI Compliance

                         Date: 7 October 2008

                         Time: 12.30 – 1.00 pm GMT

                         Registration: email Tara Hutton or call 0207 917 9527

More News