Define a Program Scope and Charter

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
3 hours 39 minutes
Difficulty
Intermediate
CEU/CPE
4
Video Transcription
00:00
>> Module 2.5, define a program scope and charter.
00:00
During one of the previous modules,
00:00
we talked about how some organizations will want
00:00
project management skills within
00:00
the responsibility role of a privacy manager.
00:00
In this module, we'll discuss some of the basics of
00:00
a scope document as well as
00:00
a charter as it pertains to a privacy program.
00:00
We're going to talk about scope and
00:00
charters but we're also going to
00:00
discuss scope integration concerns.
00:00
If you have a project management office
00:00
or project managers,
00:00
I think they would really appreciate this part of
00:00
the module and some takeaways from this module that
00:00
you can bring to them if they are assisting you
00:00
with the implementation of your program.
00:00
Let's talk about what a scope and charter are.
00:00
A charter includes the stakeholders by name and role,
00:00
along with the vision and desired governance model.
00:00
It's a high-level document
00:00
explaining why the program exists.
00:00
Typically, a charter is something
00:00
that would be included or be part of,
00:00
in my opinion, your business case
00:00
for creating your program.
00:00
The scope includes identifying and
00:00
personal information collected and processed,
00:00
as well as in-scope
00:00
privacy and data protection laws and regulations.
00:00
A privacy program scope document is
00:00
an in-depth document that provides
00:00
the specifics on what your program will cover.
00:00
Now, it's important to note that in most cases,
00:00
if not all cases,
00:00
a charter would come before the scope.
00:00
The scope should define who collects, uses,
00:00
and maintains personal information
00:00
which is why it's important to make sure
00:00
that a lot of functions and departments within
00:00
your organization are included within the scope,
00:00
so you have an understanding what information is
00:00
being collected used to maintain and why.
00:00
Types of personal information collected and purpose,
00:00
where the data information is stored,
00:00
or data is transferred,
00:00
when collection occurs,
00:00
security controls in place to protect data,
00:00
incident handling and response,
00:00
monitoring define regulatory landscape.
00:00
You can see here the scope is quite broad.
00:00
However, if we go back to
00:00
the job descriptions we reviewed in a previous module,
00:00
you'll see that your scope should include
00:00
a lot of the items that you are responsible for.
00:00
I would also note too,
00:00
because this is a management instruction level course,
00:00
that if you aren't able to
00:00
include some of these items within the scope,
00:00
it's important to understand,
00:00
to work where you can either transfer
00:00
the responsibilities elsewhere within your organization,
00:00
so another organization or a function can pick that up.
00:00
Whether you outsource these types of
00:00
functions or whether it's something that
00:00
you choose not to tackle at this time
00:00
because you don't have the resources to do so.
00:00
It's important to make sure that
00:00
the scope should include what you have the capability
00:00
of handling in the near future and you can
00:00
always include how you want to mature your program later.
00:00
You at least have the opportunity to get
00:00
your program off the ground and not wait for
00:00
something that may never come or could take
00:00
some significant time and resources to
00:00
get one of these elements included in your scope.
00:00
Some integration requirements are certainly
00:00
to involve senior leadership.
00:00
We talked about getting the senior management
00:00
or executive approval for our program.
00:00
That's something that should certainly
00:00
not stop when it comes to
00:00
creating your charter and certainly your scope document.
00:00
You want to involve all the stakeholders.
00:00
You may find new stakeholders
00:00
as you develop, that's okay.
00:00
It's important to make sure that you
00:00
include as many as you can upfront.
00:00
Develop internal partnerships, provide
00:00
flexibility and note that
00:00
when you're creating these documents,
00:00
there're most likely going to
00:00
be changes that are made whether you
00:00
expand the scope document or whether you
00:00
restrict because of resource limitations.
00:00
It's important to make sure that
00:00
flexibility is understood.
00:00
Leverage communications and leverage collaboration
00:00
throughout the functions of your organization,
00:00
especially as you're talking about
00:00
information that's being gathered and
00:00
processed and transmitted throughout
00:00
your organization as it relates
00:00
to information that would
00:00
fall under your privacy program.
00:00
Some of the challenges with implementing
00:00
your scope of your program is, of course,
00:00
as we talked about in previous modules,
00:00
whether you have a domestic footprint to that
00:00
is just unique to the region.
00:00
But if you have more of a global footprint
00:00
or if you're dealing with citizens
00:00
from other countries or other regions of
00:00
the world that have different privacy laws,
00:00
you may have to take those into consideration.
00:00
This may be a wake-up call for not only your program but
00:00
your leadership as far as how
00:00
far your privacy program could stretch.
00:00
Scope creep is also something that is
00:00
a common project management term that is used
00:00
to identify items that are typically added.
00:00
Once your scope has been implemented and
00:00
your project is going as changes go on,
00:00
scope creep can increase
00:00
not only a risk of not finishing on time,
00:00
but it can also increase your expenses.
00:00
It may also increase your risk profile,
00:00
which is something that your privacy program
00:00
is looking to reduce.
00:00
It's important to manage
00:00
your scope as you go through implementation.
00:00
If there are significant changes that
00:00
are required for you to your scope,
00:00
it's important to make sure that those changes are
00:00
understood and how they
00:00
would impact your overall program,
00:00
not only from a resource allocation standpoint
00:00
but from a budgetary standpoint and your timeline.
00:00
Legal and cultural concerns could be an issue.
00:00
There's a lot of privacy regulation out there.
00:00
Maybe you missed something that
00:00
you were looking at or maybe there's
00:00
simply just some language barriers or
00:00
some cultural concerns that you have to overcome.
00:00
Hopefully, you have the resources
00:00
internally to help you do that.
00:00
But if you don't, you'll have to figure that out.
00:00
Limited enforcement or oversight.
00:00
We sometimes throughout our career
00:00
get the go-ahead to get
00:00
a new initiative going but find out that sometimes
00:00
initiatives change or
00:00
priorities for organization's change.
00:00
It's important to make sure how are you going to keep
00:00
your program and the project moving forward,
00:00
whether the accountability is there,
00:00
who is going to oversee that progress,
00:00
and what type of accountability is associated with
00:00
getting the program rolled out.
00:00
Having an unrealistic budget or
00:00
schedule is something that is always
00:00
a challenge with rolling
00:00
out your project and building your scope.
00:00
Some projects can be overly
00:00
ambitious and others may not be ambitious enough.
00:00
It just depends on your initiative and going back to
00:00
your overall vision for
00:00
your program as that relates to your scope.
00:00
Are you able to tackle
00:00
all the items you need to within the scope?
00:00
Then, limited technology resources is
00:00
another item here where they've seen
00:00
some very ambitious programs
00:00
get started but there simply isn't
00:00
enough resources from a technical standpoint whether it's
00:00
people or equipment or
00:00
software to be able to get that program going.
00:00
It's important to make sure that could be
00:00
a procurement step or a requirement here to bolster
00:00
your technology resources as it pertains to
00:00
rolling out and getting
00:00
your privacy program started or enhanced.
00:00
Quiz question. The privacy program scope should
00:00
cover all personally identified data captured,
00:00
processed, and stored at the organization.
00:00
Of course, the answer is true.
00:00
If you find that this is going to be difficult to do,
00:00
I strongly recommend you look at
00:00
your scope and communicate with
00:00
your executive or leadership team to
00:00
understand how to prioritize
00:00
what you're going to tackle first.
00:00
In this module, we discussed privacy program,
00:00
scope and charters,
00:00
we also discussed scope integration concerns.
Up Next