Creating a security policy for your employees is a good way to keep everyone on the same page as far as security goes, and is necessary if you need to take legal action.
Employee Security Policy
Employee Bonding and Buy In
- Relationships are worth more than products
- People telegraph their intentions, fire them BEFORE they become a problem
- Seek to understand employee problems and then find where YOU can yield
- Managers are employees too…
- Build a network of influencers and get their buy-in
IT and the CEO
- What does the CEO envision
- What are the CEO’s goals
- What are the CEO’s priorities
IT and HR
- Understand the hiring and firing process
- Understand what issues HR is having
- Understand what the rules and laws are for employers
IT and Legal
- Understand what the legal priorities of the company are
- Understand what regulations effect your company. HIPPA, PCI
- Create a connection so when asked to do something questionable you have someone to call
IT and Marketing
- Understand what data Marketing wants
- Understand what systems Marketing uses
IT and Employees
- Understand what the employees are supposed to do
- Understand what the employees actually do
- Understand Pain Points
Acceptable Use Policy
- Tell your employees what is and is not acceptable use of electronics equipment.
- Have them sign the dotted line…
- Many free templates available.
- Don’t just copy/ paste a template. Think about what you are telling your employees to sign.
- Stupid contracts breed contempt….
Written Employee Policies
- Having written policies keeps everyone on the same page
- Written policies make discipline easier
- Have a formal review process for policies with timed revisions and updates
Social Media Policy
- “Cancel Culture” is real
- Make sure employees understand where the company stands
- Do you want employees putting who they currently work for on social media?
- DON’T FRIEND COWORKERS
Standards for Discipline
- Rules NEED punishments
- Document what the punishments are, and why they are implemented.
- Make discipline actions as public as possible (Legal considerations)
- “Discretion” is “racism/ sexism/ ableism/ ismism”
Worth the Argument?
- Some times “because” is an appropriate answer
- In Debate Culture YOU LOSE
- Fighting is more fun than working…
- Deal with in PRIVATE
- Business is a decision, what do both sides actually care about
Separation of Authority
- No one person to blame
- “I would, but… THEY won’t let me”
Digital Surveillance (Video and Audio)
- Scan emails for objectionable words, bounce back emails and notify that the email was logged.
- Communication is about more than “email”
- If THEY own it what rules can you have?
- Create separate networks for BYOD
- Build a ZERO TRUST infrastructure
- Why are employees using Shadow IT?
- What Pain Point is Shadow IT solving?
- Bring Shadow IT into the light.
- Shadow IT NEEDS consequences
White List/ Black Lists and DNS
- Use DNS filters and such to prevent users from going to inappropriate sites on company equipment.
- Give employees a safe passage with guest network access for their BYOD
- Have systems continuously audit the infrastructure
- User logons
- Device Discovery
- Available Network Services
- Create process for Asset Tracking
- If a laptop is stolen would you know?
Physical Access Control
- Locks keep good people from doing stupid things
- Create access control between departments, building floors, and IT infrastructure
- Create a process for gaining access
- Audit who has access to what areas
Logs and Real Time Notifications
- Create systems to notify admins in real time about security issues
Disabling Terminated Employees
- Zombie Accounts are a HUGE problem
- “Security” is about more than firewall ports.
Create a Coffee Budget