Security and privacy compliance awareness

Especially if you work in a heavily-regulated industry, you may not be the least bit surprised to discover that our latest awareness module on security compliance is weighty. Admittedly the high-res poster graphics account for much of its 100Mb but the annotated seminar presentations, briefing papers, mind maps and so forth ended up bigger than normal, even without going into detail on specific compliance requirements or resorting to the convoluted and archaic language heretofore favored by the legal profession.

So what makes compliance such a bulky awareness topic?

Part of the reason is of course that compliance obligations are many and varied. As a taster of the content in the module, here are 10 types of information security and privacy-related laws and regulations, taken from a list of 20 in one of the general employee awareness papers:

1. IT and corporate governance - directors’ responsibilities to society and owners 
   
   
2. Integrity, availability, accurate and complete reporting of financial data (mainly)
    
3. Copyright, patents, trademarks and designs, laying down Intellectual Property Rights 
    
4. Reporting and notification of those affected by information security incidents/breaches 
   
   
5. Disclosure of information by public bodies or in the public interest (Freedom Of Information)
    
6. Information security and privacy standards recommending good practices 
   
   
7. Distance selling and tax laws (e.g. running businesses on eBay) 
   
   
8. Restrictions on the import/export and use of strong cryptography (e.g. in France and Israel) 
   
   
9. Contracts, agreements and warranties (e.g. the validity of electronic signatures) 
   
   
10. Internet Service Providers, IP addresses, domain names (industry regulations). 

Since our customers are doing business all over the globe, we touched on the complexities of having to comply with laws and regs in the international context, again without going into specifics. Issues such as jurisdiction and the differing rules of evidence make this a significant challenge but there is an important rider to all our awareness content: we are not dispensing legal advice! We've done our level best to keep it generic, readable and most of all interesting and engaging.

We deliberately interpreted our scope widely, going beyond security/privacy laws and regs to discuss compliance with corporate security policies for instance. This gave us an opportunity to raise the ethical and cultural aspects of compliance - again, just a light touch to prompt managers and staff to think things through for themselves, perhaps reminding them of previous awareness materials on those topics. [One of the advantages of our monthly cycle is that we don't have to go into depth on everything right now: we can refer back to stuff we've raised before, and we will pick up various loose ends in future months, giving continuity and consistency over the course of the awareness campaign that more conventional approaches lack.] 

Security/privacy clauses in commercial contracts get a mention too, and with good reason: they are often quietly slipped in there by the legal and procurement people only to be forgotten ... until a security or privacy incident blows up and all of a sudden they pop out of the woodwork. One of the case studies picks up on exactly that issue, hopefully prompting the class to think about what perhaps ought to be done in the way of security compliance during the life of the contract, as part of routine relationship management.

It was tempting to bleat on about penalties and enforcement actions but aside from the odd mention (oh, and that poster image!) we consciously chose not to flog that particular horse. Enforcement is such a downer that we preferred instead to focus on the advantages of voluntary compliance, particularly the value of adopting good practice security standards and frameworks such as ISO27k and COBIT - a far more positive and upbeat awareness message, don't you think?