top of page
Image by Samsung Memory

Change Management

To strengthen data-handling security, this change management plan was created to help drive behavior change among busy, change-resistant engineers in the Apple Information Security (AIS) organization. It combined clear strategy, structured rollout, and timely reinforcements with built-in metrics to track adoption and impact over time.

Situational Analysis

Recent concerns have been raised about confidential content being left on camera media (such as SD cards and camera magazines) and the potential for this media being reused without proper deletion or destruction. As a result, there is a need to reinforce the importance of securely managing this media to prevent data leakage or security risks. Immediate action is required to communicate best practices for data deletion, destruction, and media handling in line with company policies.

The goal is to ensure that all employees, especially those working with sensitive content, are reminded of their responsibility to securely delete and destroy camera media according to the outlined guidelines. A clear and effective communication plan is essential to inform, educate, and provide easy access to resources on proper media handling.

Audience Segmentation

People Managers

Managers are responsible for overseeing their teams' media handling practices. They need to be equipped with the necessary information to cascade the message, ensure compliance, and support their teams in following the guidelines. Managers will benefit from a one-pager (brief or summary slide) to help them communicate the importance of this process effectively.

Individual Contributors (ICs)

ICs, particularly those handling camera media directly, must understand the step-by-step procedures for securely deleting and destroying content. These employees need direct, clear instructions and a single point of truth to easily refer to the guidelines.

Communication Tactics

Email Communication (Direct to All Employees)

The email will serve as a friendly but clear reminder of everyone’s responsibility to handle camera media and data securely. It will link to the detailed guidelines and strike a tone that’s supportive and respectful, encouraging compliance while making it easy for employees to find the information they need.

 
FAQ Document

This quick-reference FAQ will address potential common questions in a straightforward, accessible way to help employees feel more confident and informed as they follow the updated process.

 
Intranet Post

A dedicated intranet page will bring everything (email, guidelines, FAQs, optional tutorials, etc.) together in one place so employees always know where to go for the most up-to-date guidance. This central hub makes it easy to stay aligned and informed.

 
Tutorial Video (Optional)

For those who prefer visual guidance, this optional tutorial walks through how to securely delete sensitive content from camera media, with versions tailored for both MacOS and Windows users. Clear, on-screen steps make it easy to follow, while reinforcing the importance of secure data handling. The video will be posted alongside other resources on the intranet for easy access and added confidence.

 
Slack Post

A quick Slack post will serve as a gentle reminder to check the email and visit the intranet for all the details. It’s a light touchpoint that helps boost visibility and engagement across teams.

 
Manager Briefing (Slide or One-Pager)

Managers will receive a simple one-pager or slide deck summarizing what their teams need to know, why it matters, and where to find support materials. This equips managers to reinforce key messages and answer questions with clarity and consistency.

Draft Deliverables

1. Email to Employees

This email alerts employees to the security risk of leaving confidential data on camera media. It directs them to immediately review, securely delete, and destroy any sensitive content from media in their possession. Employees are also instructed to tag and track the media using an asset management system. A link to the full guidelines on the intranet is provided for detailed instructions. Compliance is emphasized to ensure data security and prevent leakage. (NOTE: A branded Composer template will be used for distribution.)

 

To: [ASI Employee Distribution List]

From: [Insert Reply-to Mailer Alias]

Date: TBD

Subject: 🔥🔥🔥 Immediate Action Required: Secure Deletion and Destruction of Camera Media

 

Hello Team,

We’ve recently discovered that some camera media, such as SD cards and camera magazines, may have retained confidential content, potentially exposing sensitive data. This is a security risk that requires immediate action.

Please assess any camera media in your possession and review the secure deletion and destruction procedures and inventory requirements on our [intranet page].

Key actions include:

  • Deleting data from camera media using secure methods

  • Properly tagging and tracking all media with a unique ID

  • Scheduling media for destruction once processed and returned

 

Failure to follow these procedures could result in data leakage, so please take the time to review and ensure compliance.

 

Thank you for your immediate attention to this important matter. If you have questions or need assistance, refer to the [posted FAQs] or contact [name/team].

 

[Complimentary Close]

[Signature Block]

2. FAQ Document

This FAQ should address the most common questions employees might have, ensuring clarity while keeping it focused and concise. The first question helps employees understand the importance of the task, and the following questions walk them through the necessary steps and resources.

Q1: Why am I being asked to do this?

You are being asked to review, securely delete, and destroy any confidential content on camera media (SD cards, camera mags, etc.) because leaving sensitive data on these devices poses a significant security risk. To protect our organization’s data, it’s essential that we follow proper procedures to make sure data is not inadvertently exposed or reused improperly.

Q2: What should I do if I have camera media in my possession?

If you have camera media in your possession, please take the following actions:

  1. Tag the media with a unique ID to ensure proper identification.

  2. Track the camera media using an asset management system (such as FileMaker Pro) and record the following details (at a minimum): Device ID, Device Model, Device Recipient, Check-Out Date, Return Date, and Purpose for Use.

  3. Schedule the asset for deletion and destruction once it has been processed and returned, as applicable.

  4. Update the storage device information in all applicable asset management systems before reusing the media.

 

Q3: Where can I find the detailed guidelines for secure deletion and destruction?

The full guidelines, including inventory requirements and steps for secure deletion and destruction, are available on our [intranet page]. Please refer to this resource for all the necessary details.

Q4: How should I tag and track camera media?

All camera media should be tagged with a unique ID and tracked using an asset management system, such as FileMaker Pro. At a minimum, you’ll need to record the following details for each piece of media: Device ID, Device Model, Device Recipient, Check-Out Date, Return Date, and Purpose for Use. This ensures proper tracking and accountability.

 

Q5: How do I securely delete content from camera media?

To securely delete content, format all storage devices using either (1) the native formatting function built into the camera or recording device OR (2) the native storage management program on macOS or Windows.

  • For macOS: Open Disk Utility and click the Erase icon. Select the appropriate drive format (e.g., ExFAT). Make sure Most Secure is set under Security Options.

  • For Windows: Mount the drive to your PC. Right-click the drive icon and click Format. Select the appropriate file system (e.g., ExFAT) and make sure the Quick Format option is unchecked.

Q6: How should I securely destroy the media once it's no longer in use?

If you need to destroy the media, make sure that it is physically destroyed according to the baseline requirements. This includes puncturing the device with at least three holes that penetrate through the entire unit. For larger storage devices, the holes must destroy the storage chips within the drive housing. Alternatively, you can use a reputable NAID AAA/ISO certified third-party vendor to destroy the media and request a certificate of destruction.

 

Q7: What happens if I don’t follow these procedures?

Failure to properly delete, track, and destroy camera media poses a risk of data leakage, which could compromise the security of sensitive information. It is essential to comply with these procedures to maintain the integrity of our data security standards.

3. Slack Post for Quick Reminder

The Slack post will serve as a brief reminder for employees to review the email and the intranet article about secure camera media management. It will include a link to the full guidelines and encourage employees to take immediate action. The goal is to amplify the message and ensure maximum visibility.

📣Secure Camera Media Management 📣
Hi Team! Please take a moment to review the Camera Media Management email sent on [date/time]. If you’re handling SD cards or other camera media, make sure all content is securely deleted and destroyed according to the instructions in our [guidelines] and that the media is properly managed. Let’s work together to keep our content secure! If you have questions, contact [team/name] for support. Thank you!

4. Manager Briefing (One-Pager/Quick Brief)

This briefing equips managers with key information about the security risks related to camera media and the actions employees must take. The goal is to have managers amplify the message, ensuring consistent communication and encouraging prompt compliance across teams. Managers are provided with tools to share the guidelines in 1:1s or team meetings.

Overview
We've identified a potential security risk with confidential content left on camera media (like SD cards and camera mags). To protect our data, it's essential that everyone securely deletes, destroys, and properly tracks any sensitive content on these devices. We’d appreciate your help in making sure all team members follow these important steps. Your support in spreading the word and guiding your team will be key to ensuring everyone stays on track.

Key Actions for Employees

  1. Review and Securely Delete Content: All employees must securely delete any confidential content from camera media they currently possess.

  2. Tag and Track Media: Employees should tag all media with a unique ID and track it using an asset management system (e.g., FileMaker Pro).

  3. Follow Deletion and Destruction Procedures: Make sure media is properly processed for destruction once no longer in use, following our guidelines.

 

Your Role

  • Leverage 1:1s & Team Meetings: Use your 1:1s and team meetings to ensure the message is understood, answer questions, and encourage employees to take immediate action.

  • Support Compliance: Make sure that team members understand the potential security risks of non-compliance and the importance of following the guidelines.

 

Resources

  • Full Guidelines: [intranet article link]

  • FAQs: [intranet FAQ link]

  • Tutorial Videos: [intranet videos link]

  • Contact: If any team members need help, direct them to contact [team/name] for support.

 

 

5. Video Tutorial (Step-by-Step Deletion Process)(Optional)

This tutorial video provides employees with a live demonstration of how to securely delete sensitive content from camera media. Separate versions are available for both MacOS and Windows. The video walks users through the deletion process with on-screen steps, making it ideal for those who prefer visual instructions. This resource ensures employees can follow the procedure correctly and with confidence, reinforcing security best practices.

MacOS Storyboards: 

  • [insert screen capture]

  • [insert screen capture]

  • [insert screen capture]

 

Windows Storyboards:

  • [insert screen capture]

  • [insert screen capture]

  • [insert screen capture]

Execution Timeline

1. Intranet Article Release

  • Date: [insert date]

  • Action: Publish the full guidelines, FAQs, and tutorial videos on the team intranet page. This will serve as the reference point for all employees.

 
2. Email Distribution
  • Date: [insert date, ideally 1-2 days after intranet release]

  • Action: Send the email to all employees, directing them to the intranet article for detailed instructions on secure deletion, destruction, and media tracking.

  • Include: Attach the Manager One-Pager to the email or post it on the intranet for managers to download. This will equip managers to cascade the information effectively within their teams.

 
3. Slack Reminder

  • Date: [insert date, ideally 3-5 days after email]

  • Action: Post a Slack message to remind employees about the email and encourage them to read the guidelines on the intranet. Make sure the post includes a link to the article for easy access.

Metrics and Engagement

To measure the success of this communication, we propose using engagement metrics that provide direct insight into employee interaction with the communication materials. These metrics will help assess whether employees have received and engaged with the message and how well they understand the secure deletion, destruction, and media tracking practices.

Engagement Metrics:

  1. Email Open Rate: Measure how many employees opened the email containing the instructions for securely deleting, destroying, and managing camera media. If less than 50% of the organization opened the email, we will send a follow-up communication and/or leverage managers to ensure the message reaches a broader audience.

  2. FAQ Page Visits: Track the number of employees who visit the FAQ page related to the camera media deletion process. This will indicate how many employees are actively seeking additional information or clarifications.

  3. Video Views: Track how many employees watch the instructional video provided in the communication. This will measure how many employees engaged with the video content for further understanding.

 

Follow-up Actions:
  • If email open rates are below 50%, follow-up emails or Slack reminders will be sent, encouraging employees to review the materials.

  • If there is low engagement with the FAQ or video content, we will lean into managers to help assess and encourage compliance.

 

By focusing on these engagement metrics, we can track the reach and effectiveness of the communication while ensuring that employees are not only receiving the information but also engaging with it. These insights will guide future communication efforts and help refine strategies to increase employee participation and understanding.

Approach

By implementing this strategy, we will ensure that employees understand their responsibility in securely handling camera media, reinforcing the importance of data protection, and minimizing the risk of security breaches. This multifaceted approach of emails, FAQs, intranet resources, and Slack reminders will keep the message clear, accessible, and top of mind across all levels of the organization. Managers will be empowered to cascade this information within their teams, ensuring widespread awareness and adherence to security protocols.

While sending a simple email with an attached FAQ may address the immediate need, a more strategic, comprehensive communication plan offers significant advantages:

  1. Tailored Messaging: A detailed plan allows for audience segmentation, ensuring messages are tailored to different employee groups for maximum relevance and impact.

  2. Clear Structure and Timing: A defined timeline ensures that messages are coordinated and delivered consistently. It also helps schedule communications during periods when there are fewer competing priorities, reducing the risk of important messages getting lost in the noise of other communications or events.

  3. Enhanced Engagement: With diverse tactics such as follow-up Slack, intranet post, etc., employees can engage with the content in a variety of ways. This provides better accessibility to materials and promotes understanding and compliance throughout the org.

  4. Sustainability and Adaptability: A full plan provides the flexibility to adapt future communications as needed, ensuring that updates or changes can be seamlessly integrated without sending out repeated emails or attachments.

  5. Long-Term Clarity: A comprehensive strategy supports ongoing clarity and accessibility, reducing the need for reactive or ad hoc communications and making it easier to track engagement and address feedback.

 

This approach ensures that the communication is clear, consistent, accessible, and scalable, allowing for both immediate impact and ongoing flexibility to address evolving 

Note

This change management plan is here to give you a sense of how I think and approach my work. I appreciate you respecting the time and thought behind it by not copying, sharing, or reusing it without my written permission.

LAIMIN LO | PORTFOLIO

© 2025 by Laimin Lo. All rights reserved.

bottom of page