Strategy Day 2 Establish Strict Policies and Procedures
Establish Strict Policies and Procedures Policies
Let me start this article by apologizing for not publishing this sooner. We had an unfortunate situation arise but it is now taken care of.
Policies and procedures regulate business operations and are essential for defining the standards and expectations of employee behavior and actions in the workplace. They will also be used as guidance when creating mission statements and determining business goals. While establishing strict, security focused protocols is essential, a system of validation and enforcement is critical. After all, rules without enforced or enforceable consequences are merely suggestions.
Among the first policies that I feel is needed is a clear AUP or Acceptable Use Policy for technology that is used and allowed to be used for company business. This will set the stage and outlines for other employee policies and will help you build a security conscious company culture. This is especially important with the explosion of IoT devices because of the new risk surface they present to your company’s critical assets.
If you have employees you already have some sort of expected behavior policies such as Sexual Abuse and Harassment, Expected visitor and Phone Etiquette, Problem Resolution, Attendance and more. But many companies either do not enforce technology AUP’s or just plain don’t have one. Your AUP must be reasonable and strictly enforced across the board.
|AUP compliance and enforcement is very important for your executives and IT team as they generally have more system rights and therefore present a higher risk when something bad happens. I recently read an article in The Wall Street Journal where a study was done by a penetration testing firm. The study targeted executives from many companies. One of the testers task was to pose as an attractive young lady and befriend the executives. When all was said and done the tester had successfully used social media to make ‘Friends’ with over 40 C-level execs and mad convinced a surprising number of them to not only divulge their login system login names but their passwords as well.|
Your AUP will include password complexity, allowed and disallowed non-business sites and activities, allowed recreational internet usage times(if applicable), social media usage and much more. You need these in order to not only protect your business but to also instill a security consciousness in employees while they are not on the clock.
Another policy could be your cybersecurity policy that would include email phishing simulation and ongoing cybersecurity training as well as off-premises or remote worker acceptable practices. HR and your IT team will also need to work together to properly on-boarding and more importantly employee termination and resignation procedures. This is an extremely important. When an employee leaves for whatever reason their company owned assets must be secured immediately. Failure to do so may leave a way for them to access the systems and data after they are no longer employed which could result in theft of critical data and major HIPAA and other compliance issues that you will be liable for.
Consequences for violation of the policies should be clear and concise and always be strictly enforced. Failure to be clear and concise will result in the inability to enforce the policy. If you cannot enforce them, then as I mentioned at the beginning, they are reduced to suggestions.
Let us help you develop security-driven policies and procedures for your business.