What are the basic things that need to be explained to every employee about a security policy? At what point in their employment? Why?
Employees need to be made aware of and adhere to organisational security policies to help with the prevention, detection and reaction to potential threats. Employees should understand security policy standards, procedures, baselines, and guidelines.
New employees should be trained on security policy as soon as possible, ideally prior to accessing the organisational network. If it is not possible for new employees to be fully trained immediately, then they should at least be made aware of key points within a starter pack or induction. It is critical that employees are informed of the seriousness of cybersecurity, and the potential consequences and damages if policies are not adhered to. On completion of training, employees should be certified after a brief assessment, to demonstrate they understand the organisational security policies. Existing employees should be required to periodically refresh their security policy training, for example, biannually or annually, dependent on the sensitivity of data handled.
Basic aspects of a security policy that should be explained to all employees include, but are not limited to:
Acceptable Usage Policy
Notes on this in lecture
Effective password management
Passwords are often the weakest link in a network. Employees must be informed on creating strong and effective passwords which are difficult to compromise. Simple or obvious passwords should be avoided, as well as passwords which are an updated version of a previous password.
Backup and recovery/data management
How data should be stored, how data should not be stored etc.
Post-it notes with passwords, notebooks with sensitive information, memory pens, cd’s etc with company data.
Screens should be locked with a password whenever left unattended. Laptops tablets etc should be secured with desk locks. If out of office, devices should be kept on person and shutdown when not in use to make use of drive encryption etc.
Prevention of Scam and Fraud
Not opening unknown links, emails from unknown senders etc.
Physical Security i.e. laptops locked away, Kensington locks, notebooks, postits withs passwords etc.
Release of information to third parties
Device lockdowns, password management, encryption, anti-scam alertness etc