Information Security policies are the guiding principles that your security program is based. The policies are the forward facing statements of security that should be publicly available, easily distributed upon request to clients and customers and a document that every single employee knows where it’s located and what it contains. As the workforce of the future changes in the coming years the approach to Information Security policies need to evolve as well. In the ‘old’ days Information Security policies were written with complicated, legalize that only those trained properly truly understand. This doesn’t help anyone.
Information Security policies need to be written to an audience that is not your security team, your legal team or the IT department. Those people will understand it. However, this does not help you build an effective enterprise wide information security program. Everyone needs to understand the policies you are expecting them to abide to. Chances are today every employee at hire and probably on an annual basis are signing off that they have read and understand the policies. Is this true? Does everyone really understand your security program?
As much as I hate the cliché it is very applicable to Information Security policies and that is – TL;DR.
If your Information Security policies are viewed as that with your employees then they are worth less than the paper they are printed on. If your employees don’t read and skip to the Accept button then how can you say you have an effective security program?
Security is everyone’s responsibility and if that’s not the message you are conveying you need to start. Security is not a checkbox list, it’s an organic integration to daily tasks. In order to get there you need to start to have the policies written and delivered in such a way that employees think about security rather than have a To-Do List.
Here’s a very important tip that you need to understand as an Information Security professional.
“It is not the reader’s responsibility to understand the policies, it is the author’s responsibility to have the reader understand.”
How do you do that? First, drop the legalize. Don’t make it complicated with overly descriptive, redundant words to fill a page. Simplify, sympathize and emotionalize. Information Policies need to evolve to be written TO the reader not Down To. Write policies as you are talking to them directly. People remember emotion.
An email policy, for example, generally is a page or two of do’s and don’ts stated multiple ways to cover all the ‘legal’ bases but at the end of the document says one underlying security statement. Think about the employee working in the warehouse or call center, an employee that does not have the training or education to understand the complicated language, will they understand it. Write what you mean and move on.
“Email provided by the company is for business purposes. Email is recorded and can be read by the company anytime. Be cautious on what you send and what you receive, the company takes great care in our security and it’s your responsibility to protect data and control who you send to. If you use the company email address for personal reasons be aware they are not private.”
A security statement like that can be understood by every employee. A whole three page email policy was just brought down to a paragraph. Simple, concise and employees can say they read it and understand it.
An Internet use policy –
“The company provides Internet access intended for business purposes. You are expected to use the Internet for your job but if you do use it for other purposes that you only do so on your breaks and it does not interfere with your job duties. All Internet traffic is monitored and any site you visit will be seen, you have no privacy to your Internet use and you are expected to not abuse this access or use it for any illegal or illicit purposes. Be aware you are at a place of business and the websites you visit reflect on you and the company.”
Simple. Internet use is for business only. It’s recorded. No privacy and be careful what you visit. Do you really need a 20 item list of things not to visit?
One aspect of Information Security policies that need to be more up front with is Personal Privacy. In most of the policies I have seen and reviewed they all have had small comments on privacy for the person but if the document is TL;DR no one will see it. Personal Privacy should be up front, the first paragraph and set the stage for the rest of the policy. Once people are reminded that the computer is not their personal PC, everyone truly knows this, their mind begins to shift to be more aware of proper use. Maybe I shouldn’t save kid’s photos on my company PC if the IT department gets copies of them.
Make it very clear, don’t be shy about it, employees have no personal privacy to anything on a company provided device. Period.
“Any computer equipment provided to you or devices connected to the company network has no privacy controls for your data and use. All data can be copied and viewed by the company. All data on the equipment is property of the company, this includes any data you placed there. You have no privacy to your personal information, photos, videos, websites visited, email, etc… If you do put personal content on a company device you have no right to get it back or removed from any backups upon departure of the company or replacement of a device. The company expects all equipment used for company business and your personal data kept on personal devices.”
Stop avoiding the statements that need to be made. Softened language leads to soft policies. State it. Be up front. If you are loose and soft and people will wiggle around it.
The old style policy language used to work, but the workforce is changing. Millennials will be the dominant demographic in the workforce by 2025 and when you look at the psychology of that generation you will see that old style policies don’t work. In a nutshell Millennials respond well to honesty, integrity and simplicity. Up front and honest.
If you want your policies to be understood and evolve to maximize effectiveness then you need to learn to write them to those who need to follow them. Write them so they are interesting to read, maybe even a little fun and entertaining. You will be amazed what people will do when there’s a small amount of fun in something.
Test this theory yourself, write your policies both ways and see which one wins out from the employees acceptance. Without employee acceptance and adoption you might as well close the doors because you won’t have a security program.
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.