We have been doing quite a few assessments as the threat of security issues get more and more attention. During this process we see two primary issues keep coming up – 1) Documentation of Processes and Procedures, and 2) Enforcement. Let’s look at the impacts.
As we have long seen, most companies want to do the right thing about security and they are generally aware of the issues. Some companies even have some polices and processes are written in or included in on-boarding or inprocessing processes. We see that key individuals or management within these companies even know the right thing to do if something happens. Unfortunately, these processes are generally not documented and what is documented is generally limited in nature (mostly small sections within larger company policies during the onboarding processes).
Let’s be clear – in order to create the right security mindset and culture, companies need to do the extra step and create clear security policies as part of a larger security plan. Policies tucked inside other policies or employee handbooks do not convey the same level of importance and can be easily overlooked by employees. Additionally, having security policies as part of a larger employee handbook or on-boarding guide usually does not allow for elaboration or detailed policies, rather it just provides an overview and sets expectations. This is not to say that security policies cannot be incorporated into the on-boarding documents, but it is recommended to also have employees review the security plan and security policies as part of one document. Employees need to acknowledge reading these policies and should be required for annual review. This helps reinforce the importance of security.
Having your security plan and policies documented also helps with enforcement. Employees need to know what to do in the event of an issue or incident and they need to know what their responsibilities are. What happens if the one individual or person in management is gone or left the company a month ago and now no one knows what to do. Documentation allows for the retention of institutional knowledge. All that knowledge doesn’t walk out the door. And a great way to ensure everyone knows what to do is by holding drills and exercises. Train on it and then practice it. Identify issues and resolve them so everyone knows.
And finally as it pertains to enforcement – it starts with leadership setting the standard. Leaders need to show they are adhering to policies, they need to implement security controls and then do spot checks, and they need to make corrective actions without employees fearing for their jobs. Granted, if there is a long standing pattern of misconduct with regards to security, that is another matter, but for most, a corrective action will help enforce and reinforce the policy.
Documentation and enforcement – critical to an organization and go hand in hand.