Main Nav

Hello all,


I’m considering sending some staff to training (and/or certification) on HIPAA and PCI-DSS.  This should be classes targeted for security analysts who work on compliance assessments.


What good or bad experiences have EDUCAUSE folks had?  Any recommendations?  Companies to avoid?


I don’t want to send staff to training that doesn’t add value to what they already know or can pick up from reading the compliance documents.





A. J. Wright 
Chief Information Security Officer


University of Tennessee – System Administration
2309 Kingston Pike, Suite 131C
Knoxville, TN  37996-1717
Phone:  865-974-0637




The real question is, does any good training even exist for the HIPAA security rule?  There is a ton of training for the privacy bits and for office staff.  Very little to nothing for the security side as far as I have found.


Dan Basile

Information Security Officer

Texas A&M Health Science Center


Hi A.J.,


Might I suggest you consider a more holistic approach and rather than sending folks to targeted HIPAA or PCI training, target key staff for possible CISSP or CISA training and certification? Between the exams, text books and test data bases, neither of my certification cost more than $1,000 and they will be exposed to all applicable regulations.


Both of these are good (CISSP is better) at providing an overall understanding of compliance requirements (Including HIPAA and PCI) in an IT shop.


Feel free to contact me if you have questions.


Good Luck,


Dan Sarazen

Senior IT Auditor

The Boston Consortium for Higher Education

Brandeis University, Mailstop 110

Phone: 781-736-8703

Cell:     781-296-4444

Fax:     781-736-8706






I agree with Dan. Focusing on a single regulation risks missing key concepts that are incorporated in CISSP, CISA, and other information security certifications. These are broad–based and provide deeper understandings of compliance challenges and opportunities.


I also wish you luck.


Wayne S. Martin

Director Public Safety

Emergency Coordination Officer

Security & Compliance Coordinator

Information Security Officer

Blue Ridge Community College

Post Office Box 80

One College Lane

Weyers Cave, Virginia 24486

Office: (540)453-2347

Fax: (540)234-9066



Message from

I think compliance-specific training is only the right track if you need to train up your staff in order to be able to make compliance related judgment calls for your institution (is X a PCI-compliant approach).  If this is the case, then something like PCI ISA training might be worthwhile (and lend an official status that your acquiring bank would appreciate).  If that isn’t your goal, then I advise assessing your team’s skillset against the security landscape and targeting deep training on areas of need that relate to compliance. 


For example, does your team need more strength in application security assessment, database security methods, forensics, incident response handling, a particular technology you are using (firewall, IDS, DLP, etc)?  Or maybe the best next step is scripting/coding training for building in-house tools. 


I prefer hitting individual topics in depth to an overview approach because I think the deeper understanding lends a lot to the best application of the information as well as longer retention of the information.  It takes longer to build out a breadth of knowledge this way, but it’s about career professional development, not quick turn-around.


Brad Judy