Define a Program Scope and Charter

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

3 hours 39 minutes
Video Transcription
module 2.5 to find a program, scope and charter.
During one of the
previous modules, we talked about
how some organizations will want project management skills
within the responsibility role of a privacy manager. So in this module will discuss some of the basics of a scope document, as well as a charter as it pertains to a privacy program.
We're gonna talk about scoping charters, but we're also going to discuss scope, integration concerns
uh if you have a project management office or project managers,
I think they would really appreciate this part of the module and some takeaways from this module that you can bring to them if they are assisting you
with the implementation of your program.
So let's talk about what a scope and charter are. A Charter includes the stakeholders by name and role, along with the vision of desired governance model. It's a high level document explaining why the program exists.
Typically a charter is something that would be included or be part of, in my opinion,
your business case for creating your program.
The scope includes identifying and personal information collected and processed, as well as in scope, privacy and data protection laws and regulations.
A privacy scope.
Our privacy program scope document is an in depth document that provides the specifics on what your program will cover.
Now. It's important to note that
in most cases, if not all cases, a charter would come before the scope.
The scope should define who collects uses maintains personal information,
which is why it's important to make sure that a lot of functions and departments within your organization are included within the scope. So you have an understanding of what information is being collected used to maintain and why
types of personal information collected and purpose where the data information is stored, where data is transferred when collection occurs, security controls in place to protect data incident handling in response, monitoring, defined regulatory landscape.
So you can see here, the scope is quite broad. However, if we go back to the job descriptions we reviewed in a previous module, you'll see that your scope should include a lot of the items that you are responsible for. And I would also note too, because this is a a management type
instruction level course that if you aren't able to include some of these items within the scope, it's important to understand to work where you can either transfer the responsibilities elsewhere within your organization. So another organization or a function can pick that up
whether you outsource these types of functions or whether it's something that you choose not to tackle at this time because you don't have the resources to do so. So it's important to make sure that the scope should include what you have, the capability is handling uh in the near future. And you can always include how you want to material program
later. So you at least have the opportunity to
get your program off the ground and not wait for something that may never come
or could take some time or resources, uh significant time and resources to get uh to to get one of these elements included in your scope.
Some integration requirements are certainly to involve senior leadership and we talked about getting senior management or executive approval for our program. And that's something that should certainly not stop when it comes to creating your charter and certainly your sculpt document, you want to involve all the stakeholders and you may find new stakeholders
as you develop. That's okay. It's important to make sure that you include as many as you can up front, develop internal partnerships, provide flexibility and note that when you're creating these documents there, unlike they're most likely going to be changes that are made. Whether you expand the scope document or whether you restrict because of resource limitations is important to make sure that flexibility is understood, leverage communications and leverage collaboration throughout the
functions of your organization, especially as you're talking about information that's being gathered and processed and transmitted throughout your organization as it relates to information that would fall under your privacy program.
Some of the challenges with implementing your scope of your program is of course, as we talked about in previous modules, whether you have a domestic footprint that is just unique to the region. But if you have more of a global footprint or if you're dealing with citizens from
other countries or other regions of the world that have different
privacy laws, you may have to take those into consideration. This may be a wake up call for uh not only your program but your your leadership as far as how far your privacy program uh could stretch
scope creep is also something that is a common project management term that is used to
identify items that are are added typically added. Uh once your scope has been implemented in your project is going as changes go on, uh scope creep can increase not only a risk of not finishing on time, but it can also increase your expenses.
It may also
uh increase your risk profile to which is something that your privacy program is looking to reduce. So it's important to manage your scope as you go through implementation. And if there are significant changes that are required for your to your scope, it's important to make sure that those changes are understood
on how they would impact your overall program,
not only from a resource allocation standpoint, but from a budgetary standpoint and your timeline.
Legal and cultural concerns could be an issue. Uh There's a lot of privacy regulation out there. Maybe you missed something that you're looking at or maybe there's simply just some language barriers or some cultural concerns that you have to overcome. Hopefully you have the resources internally to help you do that, but if you don't, you'll have to figure that out.
Limited enforcement or oversight.
Uh We sometimes, throughout her career get the go ahead to get a new initiative going, but find out that sometimes initiatives change your priorities for organizations change. So it's important to make sure how are you going to keep your program and the project moving forward, whether the accountability is there, who is going to oversee that
progress and what type of accountability is associated with getting? Uh the program rolled out,
Having an unrealistic budget or schedule is something that is always a challenge with rolling out your project in building your skill. Uh Some some projects can be overly ambitious uh and others may not be ambitious enough. It just depends on
your initiative and uh you know, going back to your
uh your your overall vision for your program is that relates to your scope.
Are you able to tackle all the items you need to within the scope? And then limited technology resources is another item here where they've seen some very ambitious programs get started, but there simply isn't enough resources from a technical standpoint, whether it's people or equipment or software
to be able to get that program going. So it's important to make sure that there could be a procurement step or a requirement here to bolster your technology resources as it pertains to rolling out you're getting your privacy program started or enhanced
quiz. Question
The privacy program scope should cover all personally identified
data captured process and store at the organization.
Of course, the answer is true
if you find that this is going to be difficult to do. I strongly recommend you look at your scope and communicate with your executive or leadership team to understand how to prioritize what you're going to tackle. First.
In this module, we discussed privacy programs, scope and charters. We also discussed scope, integration concerns.
Up Next