I have been working a lot with PCI DSS and HIPAA lately. One thing that has surprised me about these two topics, from a security awareness perspective, is just how similar they are. In the past I've blogged on how most security awareness programs share the same 70% of content. Many of the threats and best practices are the same, regardless of who you are or where you are in the world. One of the key areas where I find awareness programs differe is their data protection policies. What I'm starting to see is that even here, those policies can also be similar. PCI DSS is an international standard developed by the Payment Card Industry. Any organization that stores, processes or transfers cardholder data must follow this standard. PCI DSS outlines 12 key areas that every organization must follow to protect cardholder data. HIPAA is similar, but instead of credit cards it focuses on patient data (known as Protected Health Information). HIPAA was passed by US Congress and includes regulations on how patient data must be protected. Any health care organization in the United States that handles patient data is required by law to follow these regulations. Both regulations focus on protecting the privacy and integrity of data. What surprised me is how similar many of those requirements are. Examples include using only authorized systems to store or process protected information, only sharing with those who have a need to know, transferring information should be done with encryption, destroying protected data when it is no longer in use, etc. While there are differences (unlike cardholder data, patient data is designed to be shared with others making patient data more difficult to secure) I was surprised by how many similarities these regulations shared.
What awareness topics do you find to be the most unique for organizations?