Policy Distribution and Education

Now that we have created our policies, either from templates or tools, we need to implement and enforce them. No matter how wonderful and eloquent a policy may be, if it's not distributed and enforced properly, it is not worth the paper it is printed on.

First, we have to determine the scope of our recipients. It won't make much sense to give our new policies to individuals who don't need to read them, and at the same time it would be a mistake if we missed important personnel.The answer is not to distribute all policies to all people in a blanket coverage issuance of our new policies. Instead, you should work with your stakeholders to determine which policies should be distributed to the various segments of the user population.

By discussing this with stakeholders, you can provide a useful IT perspective about security while the stakeholder provides a useful perspective about the user community. Striking this balance will help ensure the policies are not only targeted to the right users but that there are no critical gaps. A few overlaps are better than gaps, but a blanket distribution is almost guaranteed to miss the intended target.

There are numerous creative ways to get users to read and implement policies and security guidelines. As much as you might like to just send them out in a long PDF file or email and then post it on an intranet, that technique is number one on the top of the list of ineffective ways to promulgate security policy.

Instead, make the task palatable. Have department managers discuss policies at staff meetings, post important policies on posters in hallways and break rooms, include the important information in bite-sized chunks in newsletters or interesting e-mails or as screensavers or "message of the day." When you make the communication quick, easy and relevant to the intended audience, you're more likely to get a higher rate of compliance.

Remember, you can simply stand there and be the enforcer, which is only effective when you're standing there, or you can gain compliance through education. It's how good managers manage. By educating your audience in interesting and informative ways, you get higher compliance over a longer term than if you stand there ready to handcuff anyone who disobeys. Get your Human Resources and Training teams involved with educating people on the key policies and find ways to keep these messages in front of users in ways that they won't simply overlook. There are numerous resources you can use to create awareness programs,

Here are two useful links for help in creating an effective awareness program:

http://csrc.nist.gov/ATE/awareness.html

www.sans.org/rr/whitepapers/awareness/

Project Management Made Easy

Project Management Made Easy

What you need to know about… Project Management Made Easy! Project management consists of more than just a large building project and can encompass small projects as well. No matter what the size of your project, you need to have some sort of project management. How you manage your project has everything to do with its outcome.

Get My Free Ebook


Post a comment