This awareness and training module delves into the monitoring/oversight and enforcement aspects of compliance - 'playing by the rules'.
Both the organization as whole, and workers individually, are obliged to comply with various rules concerning information security. Some rules are imposed on us by external authorities in the form of laws and regulations (e.g. GDPR/privacy, PCI DSS), others we impose on ourselves through corporate policies, procedures etc.
Although easily overlooked, people need to be made aware of the security rules, helped to understand and appreciate their obligations, and motivated to comply.
There are numerous laws and regulations relating to information security, far too many for us to cover in detail. On top of that, we are not lawyers and this is not legal advice. Therefore, we can only talk in general terms about the legal and regulatory side. We face the same constraint with corporate security policies: we are not familiar with your policies, or with your current policy awareness challenges. Nevertheless, we sincerely hope that this awareness module provides a sound platform or starting point.
- Make employees broadly aware of their own and the organization’s compliance obligations relating to information security;
- Help everyone understand and appreciate that we are expected or obliged to behave in certain ways, and that doing so has benefits beyond the individual (getting at the underlying reasons for the very existence of security and privacy rules);
- Mention that compliance with the rules is being actively monitored, alluding to the possibility of enforcement actions and penalties for noncompliance but without being too heavy on the threat (we prefer to put information security in a more positive light but you may feel differently);
- Support and encourage management’s efforts to clarify, promulgate, monitor/endure compliance with and when necessary enforce the security policies etc.;
- Distinguish authorized from unauthorized noncompliance, using the particular terms “exemptions” and “exceptions” respectively;
- For the professionals’ stream, discuss the instrumentation and monitoring of systems, networks and processes in order to identify, flag and deal with noncompliance at the earliest opportunity, before things get out of hand – including the possibility that naughty people may attempt to undermine or disable the alarms and alerts in order to conceal their nefarious activities.
Your learning objectives may differ. In particular, there may well be particular legal, regulatory and/or policy angles that you ought to emphasize.
The security awareness materials are generic and need to be tailored to your particular circumstances. None of this is legal advice! We strongly advise consulting competent lawyers and other compliance professionals to ensure that the guidance you dispense is both accurate and appropriate.
Awareness and training materials on fulfilling obligations under information security-related laws, regulations, standards, contracts etc. plus internal/corporate rules such as security policies, procedures and guidelines.