Creating a security policy for your employees is a good way to keep everyone on the same page as far as security goes, and is necessary if you need to take legal action.
Slide Notes:
Employee Security Policy
Culture
Employee Bonding and Buy In
- Relationships are worth more than products
- People telegraph their intentions, fire them BEFORE they become a problem
- Seek to understand employee problems and then find where YOU can yield
- Managers are employees too…
- Build a network of influencers and get their buy-in
IT and the CEO
- What does the CEO envision
- What are the CEO’s goals
- What are the CEO’s priorities
IT and HR
- Understand the hiring and firing process
- Understand what issues HR is having
- Understand what the rules and laws are for employers
IT and Legal
- Understand what the legal priorities of the company are
- Understand what regulations effect your company. HIPPA, PCI
- Create a connection so when asked to do something questionable you have someone to call
IT and Marketing
- Understand what data Marketing wants
- Understand what systems Marketing uses
IT and Employees
- Understand what the employees are supposed to do
- Understand what the employees actually do
- Understand Pain Points
Acceptable Use Policy
- Tell your employees what is and is not acceptable use of electronics equipment.
- Have them sign the dotted line…
- Many free templates available.
- Don’t just copy/ paste a template. Think about what you are telling your employees to sign.
- Stupid contracts breed contempt….
Written Employee Policies
- Having written policies keeps everyone on the same page
- Written policies make discipline easier
- Have a formal review process for policies with timed revisions and updates
Social Media Policy
- “Cancel Culture” is real
- Make sure employees understand where the company stands
- Do you want employees putting who they currently work for on social media?
- DON’T FRIEND COWORKERS
Standards for Discipline
- Rules NEED punishments
- Document what the punishments are, and why they are implemented.
- Make discipline actions as public as possible (Legal considerations)
- “Discretion” is “racism/ sexism/ ableism/ ismism”
Worth the Argument?
- Some times “because” is an appropriate answer
- In Debate Culture YOU LOSE
- Fighting is more fun than working…
- Deal with in PRIVATE
- Business is a decision, what do both sides actually care about
Separation of Authority
- No one person to blame
- “I would, but… THEY won’t let me”
Digital Surveillance (Video and Audio)
Email Scanning
- Scan emails for objectionable words, bounce back emails and notify that the email was logged.
- Communication is about more than “email”
BYOD Issues
- If THEY own it what rules can you have?
- Create separate networks for BYOD
- Build a ZERO TRUST infrastructure
Shadow IT
- Why are employees using Shadow IT?
- What Pain Point is Shadow IT solving?
- Bring Shadow IT into the light.
- Shadow IT NEEDS consequences
White List/ Black Lists and DNS
- Use DNS filters and such to prevent users from going to inappropriate sites on company equipment.
- Give employees a safe passage with guest network access for their BYOD
System Auditing
- Have systems continuously audit the infrastructure
- User logons
- Device Discovery
- Available Network Services
- SSID’s
Asset Tracking
- Create process for Asset Tracking
- If a laptop is stolen would you know?
Physical Access Control
- Locks keep good people from doing stupid things
- Create access control between departments, building floors, and IT infrastructure
- Create a process for gaining access
- Audit who has access to what areas
Logs and Real Time Notifications
- Create systems to notify admins in real time about security issues
Disabling Terminated Employees
- Zombie Accounts are a HUGE problem
- “Security” is about more than firewall ports.
Create a Coffee Budget