When you become NAID AAA Certified, you are making a statement to your customers that data security is your top priority. This is the cornerstone of NAID AAA Certification, and a major part of keeping your clients’ data protected from unauthorized access is ensuring all access individuals (that is, anyone who has or can grant access to confidential customer media) are properly trained.

Whether you are applying for NAID AAA Certification for the first time, or this is your 20th renewal, you will come across this requirement as you fill out your application, and it is important to understand your options.

i-SIGMA offers three options for this requirement, and while they are all similar, they also differ in important ways, so how do you know which one is right for you? Hopefully, this article can shed some light on this topic.

Option #1:

All Access Individuals have taken and passed the i-SIGMA Access Individual Training Program (AITP). (Submit “Access Individual Training Program Licensing” Form with application.)

This is by far the most common option that members choose. To purchase this training program from i-SIGMA, please sign into your Member Portal and navigate to the store which will bring you to the Online Store under the Documents+ drop-down menu at the top of the page. For a one-time payment of $79.95, members gain unlimited access to the i-SIGMA Access Individual Training Program which includes:

• 34-minute video covering the physical security and operational aspects of the NAID AAA Certification Program

• Test

• Test key (only for use by test administrator—please do not distribute to access employees)

• Documentation to track test scores and to verify completion

This training must be performed and documented annually for all access individuals, and your auditor will ask to see this documentation during an audit to verify that your organization meets the access individual training requirements.

Option #2:

All Access Individuals have taken and passed a third-party training course, which has been pre-approved by i-SIGMA. (Submit i-SIGMA “Access Individual Training Program Approval” (AITP) form with application for approval along with an outline of training, or if approval has already been obtained, submit the approved copy of the form for review.)

Members do have the option to use a third-party training program that has been pre-vetted by i-SIGMA, and these can be found in your Member Portal by selecting Corporate Partners from the Directories drops-down menu. From there you can search the directory; alternatively, you can also download the Buyers’ Guide, where on Page 29 you will find employee training service providers. All you need to do then is fill out the Access Individual Training Program approval form located at the back of the NAID AAA Certification application packet and submit it to the Certification Department at certification@isigmaonline.org, and we will sign it and send it back for you to keep on file. Just like Option 1, this training must be completed annually, and your auditor will check your documentation to verify.

Option #3:

All Access Individuals have taken and passed an in-house training, which has been pre-approved by i-SIGMA. (Submit i-SIGMA “Access Individual Training Program Approval” (AITP) form with application for approval along with an outline of training, or if approval has already been obtained submit the approved copy of the form for review).

This may be the least common option for this requirement, but it is probably the most often chosen by mistake. It seems that many members believe, if they have purchased the AITP training from i-SIGMA, that this now counts as their in-house training.

In actuality, this option is for members who have developed their own training, or who have found their own third-party training provider. Just as in Option #2, you must submit the AITP approval form to the Certification Department, but you must also submit an outline of the training that shows it meets the following requirements:

1. It must ensure the protection of confidential information.

2. It must protect against reasonably anticipated threats to the security of confidential information.

3. It must protect against unauthorized disclosure of confidential information.

4. It must ensure awareness of access individuals.

Once the Certification Department receives your approval form and reviews your training program outline, we will sign the form and send it back to you to keep in your records.

Choosing the right training program is a crucial decision, but whichever option you choose, it is even more important to practice the concepts of the training every day. One of the most common infractions the Certification Department sees in unannounced audit reports comes from drivers leaving trucks and confidential materials unsecured and unattended while they make their stops for the day. Not only can this incur fines and impact your standing with NAID AAA Certification, but if a data breach occurred as a result of negligence, it could lead to lawsuits, charges, and even the destruction of your entire business.

In life, it’s good to take risks; in data security, however, the only option is to play it safe.

About The Author

Shaina Van Kilsdonk is the i-SIGMA Certification Associate