The rough topic area having been determined some weeks earlier, a key task for us at the start of each month is to finalize both the scope and the purpose of the next information security awareness module.
The scope is a natural outcome of our research on the topic: despite having covered most topics before, we invariably find interesting new angles and end up writing brand new content. When we last covered the privacy topic back in 2012, we focused on compliance and espionage. This time around, the materials mention compliance (of course!) but emphasize other aspects such as governance, respect and trust.
The purpose of the awareness module is crystallized as a set of 'learning objectives' specifying what we hope our customers' audiences will get out of the materials:
- Inform employees about privacy concepts and their obligations, emphasizing the personal perspective (e.g. picturing themselves both as the cause and the victim of privacy breaches);
- Outline recent privacy breaches from the news, highlighting both personal and corporate impacts;
- Explain the associated risks and promote the corresponding controls, including aspects such as policies and procedures, informed consent, enforced notification of breaches Safe Harbor, data accuracy and secure disposal;
- Discuss but go beyond legal and regulatory compliance, particularly for the management audience (emphasizing the governance aspects);
- Encourage professionals to support the organization’s privacy framework through technological controls such as access controls and encryption, and point out the privacy issues arising from network/system monitoring and surveillance.