Corporate Policies, Processes and Procedures
The Internet Storm Center shares an excellent awareness on the need for companies to revisit their corporate policies to ensure they are up-to-date, relevant, and easy-to-understand. This is just important, as technological defenses. Both go hand-in-hand to protect the company. Revisiting your security policies is an excellent way to start the new decade.
Users need security rules and boundaries, so that acceptable behavior and a reduction of risk occurs in the workplace. Yes, there will some who march to the beat of a different drum and won't comply. Still, companies need to work with their users to promote the best in privacy, security, and information protection.
I've enjoyed authoring these guidelines in the past. Some ideas for success include:
Design in positive terms (minimize the "Thou shall not" statements, e.g., instead of "do not visit inappropriate sites" state as "users must visit business appropriate sites"). This promotes better best practices and eventual buy-in by the users.
Use reasonable controls rather than absolute restrictions (e.g., avoid saying "absolutely no personal use of IT resources" unless that is the desired policy and will be followed by all. Don't be too rigid or lenient in the design, so as to allow limited employee freedoms as long as there is a primary business use focus.
Use simplified language to promote understanding by all (avoid legalize, highly technical terms, complex and/or sentence structures, etc)
Monitor security policies and enforce them (educate first time violators rather than making examples of them)
Most importantly, publish them on your corporate Intranet where they can be kept up-to-date easily and so they are can be easily accessed by all
Publish company wide emails when policies change
Ensure senior management, HR, and Legal Counsel provide input, approve, and back these important guidelines
Internet Storm Center - The necessary evils: Policies, Processes and Procedures
QUOTE: It is one that you can't afford to overlook. I have found time and time again that having good policies, processes and procedures keep you out of trouble ... What ever the case, having good policies, processes and procedures will only make you and your organization better. So, since its the beginning of a new year, take some time and update your policies and look at your processes and procedures. Have they changed? Do they need updating? Are they even helpful? Writing something for the sake of saying you have it is a waste of time.