How to Enforce a Cyber Security PolicyPosted on October 12, 2016 by T&M Protection Resources, LLC
The CSO article “Enforcing a Security Policy” continues to be relevant in today’s constantly changing cyber threat landscape. Information security policies are only valuable if they are enforced.
1. For enforcement to be practical, update cyber security policies regularly to keep up with emerging threats.
2. Cyber security policies should include guidance. If shredding sensitive documents such as printed emails in a timely manner is a policy, then require that managers and supervisors check that shredders are being used and that sensitive documents aren’t discarded in a waste bin as part of that policy to ensure compliance. Breaking policies into achievable tasks transforms written policies from a piece of paper to the underpinnings of a culture of compliance.
3. Cyber security policies should include procedures for testing, enforcing, and investigating breaches of policy. It is better to have a procedure that you never need to use than to not have one when you need it. It is equally important to test controls around the enforcement of all procedures.
4. Administer disciplinary action for chronic carelessness or an intentional breach of cyber security policy. If the breach was accidental, it should be treated as an opportunity for more cyber security awareness training. But whenever chronic carelessness or an intentional breach occurs, disciplinary action should be considered. Remember that some punishments are external. If an employee breaches a policy that also happens to violate the law, then the consequences to the employee, the employee’s manager or supervisor and the company itself can be very grave. In recent years, responsibility for cyber security breaches has shifted to supervisors, managers, executives , and even the board of directors if there is evidence of a pervasive culture of noncompliance to cyber security policies and regulations.
5. Ensure that disciplinary action for cyber security breaches is equitable. Do not allow the stature of senior and middle management or an employee’s close relationships with management insulate them from consequences that would be administered to other employees. Doing so risks creating an ‘us vs. them’ culture in the company that can hinder cyber security goals and employee productivity. This cronyism also ignores the reality that breaches of cyber security policy by senior employees in the company often carries with it a much higher risk due to their access to more sensitive and vital company data and should therefore require a greater expectation of responsibility.