In the first of this two part article, the discussion centered around the creation of IT security policies and why there often is strong resistance to their existence and implementation. Successfully implementing IT security polices goes beyond the technology and encompasses an understanding of organizational structures and workplace psychology.
In the second part, I will be expanding a bit more on the importance of communication and how some common sense approaches to their implementation within the organization can make a difference.
KISS – keep it short and simple
Brevity is key to communication and if something can be said in a one-page document then do not write two or three. As much as the security manager may want to go into detail, remember that employees (and readers in general) have a short attention span; they will read the two first paragraphs and skip texts with language they find hard to understand.
Security policies are there to be followed so security managers should not complicate procedures or the requirements if employees are going to find difficulty to comply. Put yourself in an employee’s shoes and ask: “Can I comply with this?” If you can’t, then don’t expect others to.
Employees have a job to do. They are paid to get work done, properly and within an established timeframe. Security policies should strengthen security without hindering their job. Policies, when possible, should be integrated into business processes, otherwise employees will find ways around them to do their job. If an employee has to choose between doing a good job and complying with a security policy, that employee will choose the former – no matter what.
Big Brother is looking
If employees only see security policies as an attempt by the IT department to police their activity, then the whole scope of those policies is defeated. Through a constructive approach to security and what is acceptable user activity, security managers can integrate these policies into the corporate understanding of security, data security and an improved all-round working experience. If the ‘security is there to secure your activity at work’ message gets through, then security policies will be seen as a contributing factor and not another Big Brother exercise initiated by the IT department and supported by management.
Set an example
If security policies are going to be implemented, make sure that they are applied to everyone in the organization. If a policy states that only authorized personnel can access the server room, the directors or the CEO – who have no reason to be there anyway – should not be given access. When lower grade employees see that management has to follow the same rules, there will be a greater chance they will comply with the policies.
Cater for different groups
Policies should be adopted and designed to target different groups of users. Whilst retaining the same message, security policies often need to be presented in a different format to users.
Security is not a static process and policies may need to be changed or amended over time. Any changes and newly implemented policies need to be communicated to employees on a regular basis. This could either occur through the organization’s annual training program or via the corporate newsletter. For smaller organizations, an email should be sufficient.
Are they manageable?
How many policies do employees have to comply with? Ten, 20 or more? The more security policies an organization tries to implement, the greater the risk that some of them (if not all) will be ignored. Reducing the number to say a dozen or less and applying them properly will make it easier for users to comply with (and bother to read them).
IT security policies are indispensable for an organization. They give structure to the organization’s efforts to secure data and help to instill a strong of sense of responsibility among the workforce. A proper security policy creation process coupled with an employee awareness program will dispel any negative ideas employees may have, allow the organization to function at a more productive level and reduce the possibilities of disruption and damage to a minimum.