Posts Tagged: Policy

Doing more with less in information security.

At RSA 2009 this year you hear vendors talk over and over about automation is a necessity now.  No kidding.  IT budgets are shrinking or non existent.  Staff cuts.  Yet regulation, compliance and governance requirements increase constantly.  Auditors seemed surprised and act like IT and Security people are stupid or incompetent when things are not done fully.  Maybe they can fund the necessary resources. Still we have to deal with the reality of the situation.  My tactic is to bake in doing the right thing into IT staff.  I strive to present things in a way that makes it easy for them to do it right the first time.  That may mean making a screencast on how to perform certain activities.  It might mean checklists with self calculating dashboard.   I tell them I take this point of view.  Shaggy and Scooby Doo are my heroes.  They get the bad guy every time and doing it the most lazy easiest way possible.  Once I told this to one of my twitter friends, @illumikate.  She loved the strategy, but coined a great phrase to describe it.   She said I was just striving to be “efficiently effective” not lazy.  Bake in doing the right thing as best you can.  Provide scripts, tools, etc anything to automate or make it easy on IT to comply.  This is what I really consider “doing more with less.”

Read More

Employee Privacy

I previously posted about having to make sure we have something in place to protect employees from misuse of the new surf control deployment. Here is a sample of what I went with. Employee records and data which includes, but not limited to, telephone use, cell phone use, computing resource, video surveillance and Internet use, are to be handled with the extreme sensitivity and confidentiality. Management, or others requesting access to this type of information, must submit their request to the Human Resource Department location for which the employee in question is based. All HR-approved requests must be then be also approved by the Corporate Security Officer. The appropriate local IT Department must provide all requested data to the local Human Resources Department, who in turn will provide this data to those initiating the information request. In reviewing all data and record requests, the HR department must assess the appropriateness for the individual requesting the data, as well as the relevance of the data being requested. There are occasions where employees are unavailable (e.g. vacation) and a manager assigns a stand in. In these instances where no investigation is involved the manager must submit a notification with duration or access required to the Human Resource Department location for which the employee in question is based. Human Resources will review the appropriateness of the temporary access. HR-Approved requests will be sent to the local IT Department. The IT Department will send notification of access change to HR and the requesting manager. Access must be removed at the end of the assigned duration and confirmation sent of the removal. If the requesting department is HR then they must obtain approval of the Company Site manager. If any information is discovered that relates to policy or legal violations it must be immediately brought to the attention of Human Resources and the Corporate Security Officer notified. There are occasions where managers may request site entry and exit logs of their employees for use in time and attendance tasks. This is accepted by Company as a standard tool to ensure employees receive proper compensations. Each site may determine its own policies concerning requesting and receiving this information.

Read More

Awareness Posters – DOC Format

For grins I exported from Pages to Word Doc format. I cannot speak as to how the export job looks. But if you want something other than Pages to work with you can use this version as a starting point. You can download the zipped Doc files here: Policy Awareness Posters DOC

Read More

Awareness Posters

I am a firm believer in you have to set clear expectations before you can enforce a policy. As I told a store manager once, if the employee is going to be surprised you are firing them (not necessarilly surprised they are in trouble) then you should not fire them. You did not properly manage the expectations. I made an Email Policy and a Media Device Policy awareness poster. They are in Apple Pages format for both English and Spanish. On the top right you can place your own company logo, replace the word company with your employer’s name, Modify the policy number/reference in the middle to match your documentation. Lastly on the English poster since we have a mechanism for reporting spam I had a screen shot of dragging an email into a new email to send to the Spam Abuse address. I took it out due to some visible internal names. Feel free to put your own shot in that blank space. You can download the zipped Pages files here: Policy Awareness

Read More