Dont Forget To Add Common Sense To Your Pci Compliance Efforts

Dont Forget To Add Common Sense To Your Pci Compliance Efforts

By:


Harriett Beecher Stowe once wrote that Common sense is the knack of seeing things as they are, and doing things as they ought to be done.

Most of us take a common sense approach to everyday life. For example, before leaving for work in the morning, we unplug the iron and lock the front door. That reduces the chance of burning down the house or having someone steal your stuff. You dont need a reminderits just common sense.

So why is it so different with information security? Theres a tendency for companies to put all their focus on implementing the latest security technology and not enough focus on common sense preventative measures.
This is especially true with retail merchants who handle credit cards. The best PCI compliant, point-of-sale system cant prevent a data breach caused by employee negligence.

Employee Security Awareness Training is a PCI Requirement
Many retail merchants arent aware that employee training on information security is actually a PCI requirement. Besides just being a good idea, employee security training is addressed in Section 12.6 of the PCI data security standard (DSS).

6 Topics to Cover in Employee Security Awareness Training

So you may be wondering what the average employee needs to know. After all, isnt the IT person supposed to worry about PCI compliance? Heres a list of 6 topics to cover with every employee on at least an annual basis:

What is sensitive information? Aside from the obvious categories of customer credit card and social security numbers, many employees dont realize the intellectual property such as price lists, product descriptions, marketing plans, and financial reports are also frequent targets of theft and their loss can have devastating effects on the company.

Methods used by outsiders to steal sensitive information. Low tech dumpster diving, or going through the trash, are still the top ways sensitive information is stolen. Other vulnerabilities include leaving reports laying around a workspace and not locking file cabinets. Employees need to be reminded about how to properly dispose of and secure documents.

Storing information. The single biggest way that companies lose sensitive data is by having the data somewhere it shouldn't have been in the first place. People take it off the network and put it on a laptop computer, even though they don't need it. When that laptop computer is lost, the data is lost with it.

Weak passwords. Employees need to understand how easy it is for cyber criminals to crack weak passwords. Some internal systems arent set up to require strong passwords. Most people get the concept of what a strong password is after just a few minutes of conversation. Its well worth having that conversation.

Dangers of peer-to-peer file sharing networks. Employees need to understand that services like Kazaa and LimeWire are frequently used to distribute key loggers that can capture every single keystroke that you write. Its best to ban the use of peer-to-peer programs. If thats not feasible, at least educate employees on the risks so that precautions can be taken.

Dangers of email. One of the biggest problems companies have is that they transmit sensitive information by email. Email often bounces around before it gets to its intended recipient and it's not secure. Employees need to be reminded that deleting email frequently doesn't remove it. Other risks include links and attachments.

About the Author:
To know more about PCI DSS Compliance and Compliance Assessment check out ANX website
www.anx.com



Article Originally Published On: http://www.articlesnatch.com


Tags: , ,

|

Loading...
Related....
Videos...

Recent Computers-and-Technology Articles

Comments

Still can't find what you are looking for? Search for it!

Loading

Site Navigation:

Copyright 2005-2011 ArticleSnatch, LLC - All Rights Reserved.
Privacy Policy | Terms of Service.