Making sure your information security policy is working!
This post follows on from the October post about developing your organisation information security policy and what should be included in them. In the last post, the reasons for having documented policies was discussed and what a basic security policy should contain. To continue the conversation we wanted to discuss how to make sure staff are following these procedures and the best way to approach this. A policy or set of policies which describe the required staff actions must be put in place, adopted by the Senior Management team and a culture of compliance put into place. The main way to ensure policies are adhered to is to set up a checking and audit function as part of the process, to keep the costs to a minimum on this consider the following:
Firstly, be clear on required actions that need to be taken. The policies need to be broken down into procedures which are more detailed and relevant to the specific protection required. So a policy item may say that information will be classified, but how do you classify? Where? and How? Procedures are required to describe how to achieve this e.g.:for personal information or intellectual property. Once the procedures are defined then they need to be written down. If required Standard Operating Procedures (SOPs) could be drafted to support the policy implementation.
Secondly, engagement with the department heads to explain the policies and procedures to ensure they can locate, understand and communicate what is needed to their teams. This is the right place to ensure that the policies are clear and it is understood why the procedures are necessary.
Thirdly, the material must be easy to digest and easy to execute. Use tools and technology to test users and monitor activity. Automate as much as you can where possible.
Fourthly, it is okay to recognise those who follow the procedures. Users will soon notice how to improve things and suggest better ways to execute and audit actions. So have a scalable reward scheme to reward people who come up with new ideas.
Finally, check and check again. Check that people are doing what is needed. Check that the senior management see the results and improvements. Check that you are doing it as efficiently as you can. Check and talk to users regularly so that problems are dealt with quickly.
If you would like more information on how to ensure your information security policy is being implemented then please CLICK HERE to get in touch and arrange your no obligation consultation.