Note: The following links are provided as a service to our visitors and, while we believe they’re of value, we can’t vouch for their accuracy or the fact that some sites might have been moved. Nor does a link to an outside website constitute an endorsement of that website.
Rules and Regulations
CMS Recommendations for Complying with the HIPAA Security Awareness Training Requirements
During 2008, the Centers for Medicare and Medicaid Services (CMS) Office of E-Health Standards and Services (OESS) reviewed ten HIPAA covered entities (CEs) for their compliance with the HIPAA Security Rule. They found that the CEs had problems in compliance in the six areas including security awareness training. This document details the recommendations from the report which should be of interest to many organizations – not just HIPAA covered entities.State Security Breach Notification Laws
Thirty-five states have enacted legislation requiring companies and/or state agencies to disclose security breaches involving personal information. This website provides summaries of legislation and links to the text of statutes and bills.
Running an Effective Security Awareness Training Program
The Second Year and Beyond
You’ve successfully set up and run your security awareness training program for a year. It’s now time to do it all again to comply with the annual retraining requirement in many of the regulations. What’s the best way to do this?Best Practices for Security Awareness Training
A list of security awareness training ‘best practices’ derived from sources including ISO 17799, COBIT 4.0, HIPAA (Privacy & Security Rules), GLB-A, the PCI Data Security Standard, OMB Circular A-130, FISMA, NIST SP 800-16, NIST SP 800-50, and Section 508 of the Rehabilitation Act.Support Arrangements
Two basic rules for successful support of your security awareness training program – especially during the key launch period.Saving Money With Web-Based Policy Signature Management
Many (most?) regulations require your staff to review a set of policies and sign them to indicate that they will follow them. This usually involves printing out multiple copies of the policies – one per person – sending them round, collecting signature sheets, and recording the results in (say) an Excel spreadsheet. Have you ever considered the cost? Use this simple calculator to generate a very rough estimate of how much you could save in a year if you automated this process.
Guidance Documents
NIST SP 800-16: Information Technology Security Training Requirements: A Role- and Performance-Based Model
- Pt. 1 – Report Text Adobe .pdf (845 KB)
- Pt. 2 – Appendix A-D: Adobe .pdf (96 KB)
- Pt. 3 – Appendix E: Adobe .pdf (374 KB)
NIST SP 800-50: Building an Information Technology Security Awareness and Training Program
- Adobe .pdf (4,131 KB)
- Zipped .pdf file (3,565 KB)