Awareness activities are an important and necessary component of an effective, layered, information assurance program. Too little time is spent on communicating information security and privacy requirements, threats, vulnerabilities, and other related issues within most organizations. Providing regular traning and ongoing awareness activities to all personnel, along with customized training to targeted groups with unique information security responsibilities, such as call centers, sales and marketing folks, and applications and systems developers, as is also very important.
April 8 through 14, 2007, is Health Information Privacy and Security Week.
This is an annual event is sponsored by the American Health Information Management Association (AHIMA) to raise awareness among healthcare professionals, their employers, and the public of the importance of protecting the privacy, confidentiality, and security of personal health information.
However, if you are not within a healthcare organization, but have not provided any awareness activities for a while, say 2 to 3 weeks or more, consider doing some activities next week too. The AHIMA site provides a few suggested activities.
In my book, Managing an Information Security and Privacy Awareness and Training Program, I list 142 awareness activities in one of the chapters, and in another chapter I list 14 movies and television shows that are also effective in raising awareness. I have added several items to these lists in the past 2 1/2 years since I wrote the book, but you should still find enough listed in the book to get you started. I have it on my to-do list to set aside the time to make my notes legible with some updates, perhaps this year I’ll get it done.
I loved doing awareness activities when I was responsible for information security and privacy for a large financial company; what a great creative outlet, and a nice change of pace from fighting information security fires! One year we set up a “Wheel of Security Fortune” outside the cafeteria for international computer security day. As people entered or left they would spin this huge wheel, and answer a question for the topic the clicker-pointer landed on. The questions incorporated our information security policy requirements and presented them in a way that related to work responsibilities and performing daily business. They were of varying degrees of difficulty and we gave prizes of various sizes for correct answers; from candy-wrapped mints with a picture of our information security mascot on it all the way up to a gift certificate to the cafeteria for a full meal. This was a great success; well-received, plus we were able to establish some metrics based upon the participation and percentage of correct answers for how aware our personnel were about the various information security topics.
If you are doing something next week for this, please share with us what you do! It is always great to hear about the creativeness of information security and privacy folks, and if you’ve happened upon something that is working well please share with others so they can follow your example and improve awareness within their organizations also.
Tags: AHIMA, awareness and training, data protection, governance, Information Security, IT compliance, privacy, privacy and security Week, risk management