Simply throwing together policies and throwing them at your employees isn’t enough to reach your goals of added security on your network and company equipment. Take some steps to help your employees help you:
- Educate your organization with well-written IT policies and procedures to help employees them make the right decisions and avoid unnecessary mistakes.
- Use language that can be understood by everyone in your IT security policies and procedures. Make sure it’s clear what the consequences are for not complying with policy and procedure. This includes the WHY of the policy: educate users as to the risks they open themselves and the company to by not following policy and procedure. Also make it clear that sometimes genuine mistakes happen, and encourage employees to report them, not cover them up. Foster an open and understanding environment for legitimate mistakes so that employees feel comfortable reporting security mistakes so they can be corrected as quickly as possible.
- Instead of one huge document, break your policy and procedures into smaller, more manageable documents. This makes them easier for users to digest, and also makes them much easier to review and update.
- Now that your documents are in smaller, more manageable chunks, review and update them regularly. Remind users of the policy and procedures. Having users receive the policies yearly is a good practice. And make sure everyone gets the new version when you update something.
- Test your policies and procedures. Are there things that aren’t being understood by employees? Identify weaknesses both in the policy wording and the procedures themselves. This will also help you identify areas where targeted training may be needed in your organization.