Employee Security Policy (Cyber Security Part 2)

Creating a security policy for your employees is a good way to keep everyone on the same page as far as security goes, and is necessary if you need to take legal action.

Slide Notes:

Employee Security Policy 


Employee Bonding and Buy In

  • Relationships are worth more than products
  • People telegraph their intentions, fire them BEFORE they become a problem
  • Seek to understand employee problems and then find where YOU can yield
  • Managers are employees too…
  • Build a network of influencers and get their buy-in 

IT and the CEO

  • What does the CEO envision
  • What are the CEO’s goals
  • What are the CEO’s priorities

IT and HR

  • Understand the hiring and firing process
  • Understand what issues HR is having
  • Understand what the rules and laws are for employers

IT and Legal

  • Understand what the legal priorities of the company are
  • Understand what regulations effect your company. HIPPA, PCI
  • Create a connection so when asked to do something questionable you have someone to call

IT and Marketing

  • Understand what data Marketing wants
  • Understand what systems Marketing uses

IT and Employees

  • Understand what the employees are supposed to do
  • Understand what the employees actually do
  • Understand Pain Points

Acceptable Use Policy

  • Tell your employees what is and is not acceptable use of electronics equipment.
  • Have them sign the dotted line…
  • Many free templates available.
  • Don’t just copy/ paste a template. Think about what you are telling your employees to sign.
  • Stupid contracts breed contempt….

Written Employee Policies

  • Having written policies keeps everyone on the same page
  • Written policies make discipline easier 
  • Have a formal review process for policies with timed revisions and updates

Social Media Policy

  • “Cancel Culture” is real
  • Make sure employees understand where the company stands
  • Do you want employees putting who they currently work for on social media?

Standards for Discipline

  • Rules NEED punishments
  • Document what the punishments are, and why they are implemented.
  • Make discipline actions as public as possible (Legal considerations)
  • “Discretion” is “racism/ sexism/ ableism/ ismism”

Worth the Argument?

  • Some times “because” is an appropriate answer
  • In Debate Culture YOU LOSE
  • Fighting is more fun than working…
  • Deal with in PRIVATE
  • Business is a decision, what do both sides actually care about

Separation of Authority

  • No one person to blame
  • “I would, but… THEY won’t let me”

Digital Surveillance (Video and Audio)

Email Scanning

  • Scan emails for objectionable words, bounce back emails and notify that the email was logged.
  • Communication is about more than “email”

BYOD Issues

  • If THEY own it what rules can you have?
  • Create separate networks for BYOD
  • Build a ZERO TRUST infrastructure

Shadow IT

  • Why are employees using Shadow IT?
  • What Pain Point is Shadow IT solving?
  • Bring Shadow IT into the light.
  • Shadow IT NEEDS consequences 

White List/ Black Lists and DNS

  • Use DNS filters and such to prevent users from going to inappropriate sites on company equipment.
  • Give employees a safe passage with guest network access for their BYOD

System Auditing 

  • Have systems continuously audit the infrastructure
    • User logons
    • Device Discovery
    • Available Network Services
    • SSID’s

Asset Tracking

  • Create process for Asset Tracking
  • If a laptop is stolen would you know?

Physical Access Control

  • Locks keep good people from doing stupid things
  • Create access control between departments, building floors, and IT infrastructure 
  • Create a process for gaining access
  • Audit who has access to what areas

Logs and Real Time Notifications

  • Create systems to notify admins in real time about security issues

Disabling Terminated Employees

  • Zombie Accounts are a HUGE problem
  • “Security” is about more than firewall ports.

Create a Coffee Budget