Seven secrets to successful employee involvement in security policies

Seven secrets to successful employee involvement in security policies

Security mavens are forever making the point that when it comes to security, no environment is stronger than its weakest link. Since people are often easier to trick, subvert, or mislead than systems and technology, proper training and understanding of the human side of security policy is an essential ingredient for its most successful implementation. The following seven points sum up most of the collective wisdom on how to inform, engage, involve and work with the people within and organization where security matters are concerned.

  1. Understanding is key
    Employees, contractors and anyone else with access to your systems and services must be sufficiently informed about why security is important (to protect and preserve key assets, information and so forth) and what each person must do to create and maintain a secure environment

  2. Training is essential
    New employees must be informed about the organizations' security policies in a general way, and must buy into the idea that they have an important role to play in maintaining security. Each person should also be aware of what he or she must and can do to keep security as strong and effective as possible. As security policy changes with time, system upgrades, new services and so forth, employees must be kept informed about anything new. It's also a good idea to issue regular reminders on such topics to keep information fresh in people's minds.

  3. Small statements are not only beautiful,

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

  1. but memorable
    It's absolutely essential to break security policy documents down into small, digestible pieces -- each one preferably no more than one page in length -- that describe elements of security policy that touch individuals directly. This includes a page on passwords; security tokens; keycards, keys and other access controls; acceptable use policy; acceptable access policy and so forth. Mandy Andress's Surviving Security and the SANS Security library have great examples.

  2. Buy-in comes from sign-offs
    As new or updated security policies are published, all employees must be required to sign an "I've read and understood these documents" agreement that makes them responsible for their part of the security puzzle. Likewise, new employees must sign off on the current state of affairs as they join an organization. If responsibilities change, new signatures should also be collected. The idea is to make people take legal responsibility.

  3. Failures, breaches, or mistakes have consequences
    Employee handbooks and security policy document should clearly explain what happens if an employee knowingly or mistakenly violates security policy (intent may also need to be addressed, if legal action is contemplated). Consequences should be clearly spelled out, and must be imposed to convince employees that they are serious and "real."

  4. Always ask for input
    Overly restrictive security controls and policies are sometimes worse than overly lax security controls and policies, because they're likely to be ignored. When formulating policy, it's important to solicit user and management input to properly balance risks against usability and workability concerns. An open door to input, an open mind to consider what's said or suggested and a good sense of balance between what's secure and what works are keys to building and enforcing liveable security policies.

  5. Create a "neighborhood watch" mentality
    Ordinary users are often the first to notice when extraordinary or strange events occur, and when early warnings of attacks or threats appear. If those users buy into the idea that security has value and is worth maintaining and protecting, they will often inform you about potential threats to physical, network, or system security before attacks can success. Turn your users into allies and supporters, and you can improve overall security as a bonus consequence!

Please feel free to e-mail me with feedback, comments, or questions at etittel@lanw.com.

Ed Tittel is a principal at a content development company based in Austin, Texas, and the creator of the Exam Cram series. He's worked on numerous certification titles on Microsoft, Novell, CIW and Sun topics, and is working on several security certification books.


This was first published in December 2002

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

Back to top