Educating and Policing with Policy

By nature, human beings take the easiest route. Every one of us is all about the path of least resistance

If we can find a way to cut a two-hour project down to an hour, we'll do it - even if it may require us to bend the rules a bit. If one really needs to wash the old, dusty, terribly bird-stained car, one might opt to pay another person to do it. If I, for instance, have to make a U-turn on a public road and am faced with a 'No U-turn' sign, but see not one police officer in view, I make the U-turn anyway. Who wouldn't? (Maybe my sister wouldn't - she has always been the incessant follower of rules, but that's a different story altogether, dear reader.)

The point here is that if we can keep our work up in the office and still do some personal research on the Internet there, we'll do it. If we can shoot a funny email off to a friend, we may not give it a second thought. That is, until we get an email from a colleague at work who happened to think, say, a chauvinistic joke was funny or when we walk in on an associate hitting the Internet to find out when that next KKK rally is... Then, maybe, we think it might be a good idea that our company put some rules in place about the use of such applications at work.

Putting down in writing the responsibilities of employees is nothing new. Since commerce began, managers have often informed their employees through one means or another what they must do to fulfill the duties of their jobs, how they must act at the workplace and what they get in return.

Noting in what ways employees are beholden to the enterprise when using corporate computer equipment, however, has been an altogether different story. The idea of drafting and enforcing mandates associated with use of computer equipment in the workplace is something most companies are failing to embrace with any seriousness. While infosecurity awareness seems at an all-time high, developing knowledge of all the stuff associated with IT safeguards is not getting the buy-in from professionals one would have expected.

Part of the problem, says Angus McIlwraith, senior consultant with Insight Consulting in the U.K., is that companies are dealing with the basics. Additionally, because infosecurity is still being viewed as separate from core business applications, employees and executives are failing to see the very strong connection between them.

"Security has to be established as a fundamental part of each business process," he notes. This means getting the policies together in-house, noting the basic principles of how a company is run. Yet, they should also be reviewed on a regular basis and should not be "absolute dictates."

Many executives and board members are indeed aware of this need, say many experts. Yet, there are still problems reported in the newspapers because there are a number of policy development/education errors organizations continue to make. In fact, according to a recently released report from Gartner, the IT research firm, indifference to security concerns is a big problem in the corporate world today. Gartner cites a whole host of problems plaguing businesses today, including poor security governance and culture.

"Companies in general appreciate the need for policies," says Etienne Greeff, professional services director at MIS Corporate Defense Solutions in the U.K. "Having said that, they often approach the policy writing process in isolation. This means that the policies start off without any grounding in business and without procedures and standards."

Too, executives unilaterally decide what employees should do when it comes to using their computers, the Internet or email without first conferring with those people who must abide by these mandates. With this approach, most employees feel as if they're the unfortunate victims of Orwellian sympathizers and may just decide to ignore the rules.

"The ideal approach is to obtain a broad consensus from those who are affected by the policies and ensure they feel a strong degree of ownership," says Insight's McIlwraith. "A good policy is one that is rational, effective and accepted without too much struggle. There is always some element of confrontation, [however], because security is often contrary to established practice and any change involves pain."

A good policy program is also one that does not simply stop when the employees read over it, then sign on the dotted line at the end in agreement, say other experts. Nor is a good policy one that depends on handy-dandy posters slapped on the wall over the water cooler. "Most infosec awareness initiatives are crass and ineffective," says Price. "What is required is a structured, goal-and-objective lead process that is designed to change behavior. This has to be linked to a monitoring system that traps those aspects of behavior that show changes in behavior. Infosec implementers have to understand that they are in the business of communication and persuasion. They need to educate and inform. To do this requires that the information is delivered in a digestible form."

So, what are some parts to include in a security policy that makes it a bit digestible to the average employee? According to Andy Meyer, vice president of marketing for Websense, Inc., companies should create acceptable usage policies for the Internet and email that are included in a larger employee manual that is signed during employee training - comprehensive IT security training that should be a continuous and big part of keeping companies abreast of ever-evolving policies. A few items to include in such policies are:

  • A disclaimer: This lets employees know about the "dangers of the Internet" and will aid companies from becoming liable for any material that's viewed or downloaded, says Meyer.
  • A summary of network use limitations: This should differentiate between appropriate and inappropriate uses of corporate applications.
  • An agreement not to waste or damage computer resources: This will include details on such things as accessing the Internet through firewalls, the avoidance of "frivolous" use of applications, notification of IT managers when a virus infection is suspected, and more, says Meyer.
  • A 'no expectation of privacy' statement: This will "waive the privacy rights over any materials sent or created using the company's computer network," explains Meyer, which will allow "the company to monitor and/or log Internet use, and permits the company to block sites with inappropriate content."

In addition to these, notes Meyer, a company might want to define "reasonable personal use," so as not to come off as too draconian. As long as policies aren't violated or work is not interfered with, then some personal use should be permitted.

In the end, companies must really focus on translating these and other technical policies into procedures that are bolstered by effective educational exercises. Without this, policies are quickly useless, as they will be ignored or circumvented. Such supportive procedures and standards will answer all the "hows, whats and whys" that employees might ask, notes MIS' Greeff. "When the policy is used as the basis for standards and procedures, it becomes part of the day-to-day activity of a company and becomes a living thing," he further explains.

Illena Armstrong is U.S. editor of SC Magazine (

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.