Communicate with the staff members the level of confidentiality you are treating discussions around their device and technology usage with - i.e. explain what incident response triggers you have agreed upon with the organization, and that anything not triggering that is to be only reported in aggregate.
If using screen sharing, use a service with transport security and "lock" the room or make sure the user knows to end the call if anyone unexpected joins the room (unlikely)
- Work or Personal Email
- Work or Personal Calls
- Chat Apps with partners/friends non-work related
- Social media apps User Software and Tools
- Email software
- Other shared file systems
- Voice calls
- General browser usage
- Program tracking software
- extranet / other sites?
- Dropbox / Google Drive
- Work Email
- Personal Email
- Websites and blogs
- Social media
- Online CRM or mass-mailing tools (SalesForce, CiviCRM, MailChimp...)
- Office/home location
- Transportation means
- Physical security
As you work with staff members (this pairs well with the device checklist activity and a day in the life), also interview them about the other devices they use, and how they connect to work or personal services - email/webmail, intra/extranet tools, Constituent Relationship Management (CRM) tools like CiviCRM or Salesforce, financial tracking tools, social media, and website management tools.
This can also be done remotely. Ask to have the staff member use a screensharing tool (meet.jit.si or appear.in offer easy-to-use, browser based options) so that you can watch how they interact with their computer and what applications are active in the background.
Multi Factor Authentication
When possible, enable multi factor authentication on work accounts (email, social media, website administration, etc). Specially if the accounts are being accessed with personal devices.
See also the recommendations under the Device Checklist Activity