How Long Has It Been Since You've Done An Awareness Activity? Privacy and Security Week Starts April 8
Awareness activities are an important and necessary component of an effective, layered, information assurance program. Too little time is spent on communicating information security and privacy requirements, threats, vulnerabilities, and other related issues within most organizations. Providing regular traning and ongoing awareness activities to all personnel, along with customized training to targeted groups with unique information security responsibilities, such as call centers, sales and marketing folks, and applications and systems developers, as is also very important.
April 8 through 14, 2007, is Health Information Privacy and Security Week.
This is an annual event is sponsored by the American Health Information Management Association (AHIMA) to raise awareness among healthcare professionals, their employers, and the public of the importance of protecting the privacy, confidentiality, and security of personal health information.
However, if you are not within a healthcare organization, but have not provided any awareness activities for a while, say 2 to 3 weeks or more, consider doing some activities next week too. The AHIMA site provides a few suggested activities.
In my book, Managing an Information Security and Privacy Awareness and Training Program, I list 142 awareness activities in one of the chapters, and in another chapter I list 14 movies and television shows that are also effective in raising awareness. I have added several items to these lists in the past 2 1/2 years since I wrote the book, but you should still find enough listed in the book to get you started. I have it on my to-do list to set aside the time to make my notes legible with some updates, perhaps this year I'll get it done.
I loved doing awareness activities when I was responsible for information security and privacy for a large financial company; what a great creative outlet, and a nice change of pace from fighting information security fires! One year we set up a "Wheel of Security Fortune" outside the cafeteria for international computer security day. As people entered or left they would spin this huge wheel, and answer a question for the topic the clicker-pointer landed on. The questions incorporated our information security policy requirements and presented them in a way that related to work responsibilities and performing daily business. They were of varying degrees of difficulty and we gave prizes of various sizes for correct answers; from candy-wrapped mints with a picture of our information security mascot on it all the way up to a gift certificate to the cafeteria for a full meal. This was a great success; well-received, plus we were able to establish some metrics based upon the participation and percentage of correct answers for how aware our personnel were about the various information security topics.
If you are doing something next week for this, please share with us what you do! It is always great to hear about the creativeness of information security and privacy folks, and if you've happened upon something that is working well please share with others so they can follow your example and improve awareness within their organizations also.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
Comments
"Providing regular traning and ongoing awareness activities to all personnel, along with customized training to targeted groups with unique information security responsibilities, such as call centers, sales and marketing folks, and applications and systems developers, as is also very important."
I couldn't agree more. Too often the blame for security breaches is placed directly on the CTO or the IT department, but ALL employees are responsible for safe security practices and the protection of customer and staff information.
Education is a crucial component in the race against breaches. I'm sure that companies that succeed in finding informative and engaging education methods for their staff will be highly successful in getting everyone on board for effective security measures.
Posted by: Mila | April 4, 2007 3:48 PM
Indeed; providing GOOD and EFFECTIVE education is key. I've seen too many organizations put convulated, non-educational junk in front of their personnel and call it training. Completely ineffective, and in fact damages the information security and privacy efforts in the long run.
Posted by: Rebecca | April 6, 2007 12:22 PM
Education is especially important because what security specialists might think is "common sense" as far as document security is concerned, could be completely foreign knowledge to someone working in HR or marketing. Since the IT department can't look over every single employee who handles sensitive information, it is CRUCIAL that all staff know the risks and safe practices of handling proprietary data.
Posted by: Mila | April 6, 2007 3:32 PM