Seven secrets to successful employee involvement in security policies

Security mavens are forever making the point that when it comes to security, no environment is stronger than its weakest link. Since people are often easier to trick, subvert, or mislead than systems and technology, proper training and understanding of the human side of security policy is an essential ingredient for its most successful implementation. The following seven points sum up most of the collective wisdom on how to inform, engage, involve and work with the people within and organization where security matters are concerned.

1. Understanding is key
   Employees, contractors and anyone else with access to your systems and services must be sufficiently informed about why security is important (to protect and preserve key assets, information and so forth) and what each person must do to create and maintain a secure environment

2. Training is essential
   New employees must be informed about the organizations' security policies in a general way, and must buy into the idea that they have an important role to play in maintaining security. Each person should also be aware of what he or she must and can do to keep security as strong and effective as possible. As security policy changes with time, system upgrades, new services and so forth, employees must be kept informed about anything new. It's also a good idea to issue regular reminders on such topics to keep information fresh in people's minds.

3. Small statements are not only beautiful, but memorable
   It's absolutely essential to break security policy documents down into small, digestible pieces -- each one preferably no more than one page in length -- that describe elements of security policy that touch individuals directly. This includes a page on passwords; security tokens; keycards, keys and other access controls; acceptable use policy; acceptable access policy and so forth. Mandy Andress's Surviving Security and the SANS Security library have great examples.

4. Buy-in comes from sign-offs
   As new or updated security policies are published, all employees must be required to sign an "I've read and understood these documents" agreement that makes them responsible for their part of the security puzzle. Likewise, new employees must sign off on the current state of affairs as they join an organization. If responsibilities change, new signatures should also be collected. The idea is to make people take legal responsibility.

5. Failures, breaches, or mistakes have consequences
   Employee handbooks and security policy document should clearly explain what happens if an employee knowingly or mistakenly violates security policy (intent may also need to be addressed, if legal action is contemplated). Consequences should be clearly spelled out, and must be imposed to convince employees that they are serious and "real."

6. Always ask for input
   Overly restrictive security controls and policies are sometimes worse than overly lax security controls and policies, because they're likely to be ignored. When formulating policy, it's important to solicit user and management input to properly balance risks against usability and workability concerns. An open door to input, an open mind to consider what's said or suggested and a good sense of balance between what's secure and what works are keys to building and enforcing liveable security policies.

7. Create a "neighborhood watch" mentality
   Ordinary users are often the first to notice when extraordinary or strange events occur, and when early warnings of attacks or threats appear. If those users buy into the idea that security has value and is worth maintaining and protecting, they will often inform you about potential threats to physical, network, or system security before attacks can success. Turn your users into allies and supporters, and you can improve overall security as a bonus consequence!

Please feel free to e-mail me with feedback, comments, or questions at etittel@lanw.com.

Ed Tittel is a principal at a content development company based in Austin, Texas, and the creator of the Exam Cram series. He's worked on numerous certification titles on Microsoft, Novell, CIW and Sun topics, and is working on several security certification books.