Regulatory Requirements for Training and Awareness

Today I had a great conversation with a CISO about the regulatory and legal requirements for organizations to provide information security and privacy training and awareness activities…


There are a growing number of laws and regulations that include requirements for the covered entities to provide some type of information security and/or privacy awareness and training to not only their personnel, but also in some instances to their customers and consumers.
Some of these laws and regulations include, but are not limited to, the following:

  • The Health Information Portability and Accountability Act (HIPAA)
  • 21 CFR Part 11 (Electronic Records/Electronic Signatures)
  • Bank Protection Act
  • Computer Security Act
  • Computer Fraud and Abuse Act (CFAA)
  • Fair and Accurate Credit Transactions Act (FACTA)
  • Red Flags Rule (under FACTA)
  • HITECH Act
  • Privacy Act
  • Freedom of Information Act (FOIA)
  • Federal Information Security Management Act (FISMA)
  • 5 U.S.C. ยง930.301 (for federal offices)
  • Appendix III to OMB Circular No. A-130
  • Digital Millennium Copyright Act (DMCA)
  • GLBA
  • Department of Transportation DOT HM-232
  • Sarbanes-Oxley (SOX) Act
  • The Organization for Economic Cooperation and Development (OECD) Security and Privacy Principles
  • The European Union Data Protection Directive
  • Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)

Although HIPAA, SOX, GLBA and now the Red Flags Rule are currently the most often discussed regulations that include requirements for awareness and training, education of personnel has been a requirement under guidelines and regulations for years. For instance, the Federal Sentencing Guidelines, enacted in 1991, has a requirement for executive management to educate and effectively communicate to their employees the proper business practices with which they must comply.
I’m going to be covering these issues in depth within the 2nd edition of my book “Managing an Information Security and Privacy Awareness an Training Program” coming out in either late 2009 or early 2010.

Tags: , , , , , , ,

Leave a Reply