Compliance with information security and privacy-related laws, regulations, standards and policies may be a rather dry subject, but it's an increasingly important one and as such is definitely worth covering in security awareness programs - unless, that is, you truly believe that your technical security controls alone are sufficient (in which case, you are either a unique technical genius or sadly deluded!).
We have just delivered a NoticeBored module all about security compliance, some 67Mb of stimulating awareness content that, to be perfectly honest, barely scratches the surface. We freely admit we are not legal experts. We don't know all the ins and outs of our customers' legal obligations, the rules imposed by their industry regulators, or their corporate policies towards security. But we do know about security awareness, about motivation and creativity. And in many ways our international perspective lets us see beyond the narrow confines of any individual organization.
The new security compliance module is designed to inform and motivate staff, managers and IT professionals, three distinct audiences with differing perspectives and needs:
- Managers and directors have both strategic and tactical leadership roles and governance obligations in respect of information managment, IT, information security, privacy, and of course compliance.
- IT pro's are faced with a confusing mess of technical and non-technical requirements imposed by barely comprehensible laws such as SOX, standards such as ISO27k, corporate security standards written by the egg-heads in information security/risk and security policies written, in the main, by non-technical managers.
- Staff just want to go about their jobs. Security compliance is something that crops up occasionally but barely registers with them, unless sufficient effort is made to raise their awareness of, and ideally fulfill, their security obligations.