Communicating a Security Awareness Training Policy

So let’s say you have an information security policy in writing. You’ve spent countless hours reviewing your business model and system environment. Every contingency is covered, including the security awareness policy. Now what? You want to get it out to the troops! All those Cracker Jack employees that keep your business running like a well-oiled machine. After all, this policy will be put in place to protect them as well as the business. It’s important that they not only agree to comply with the policy but that they understand its purpose.

The simplest course of action would be to hold a formal meeting where employees can ask questions and get clarification on items that may be confusing or too technical for the average person. Once everyone is on the same page, it’s critical that they agree to adhere to the security awareness policy. Accountability is crucial, so drafting a document that employees should sign would be the most straightforward approach. The document should be a no-nonsense agreement that simply states, “ I agree to adhere to said policy or be subject to disciplinary action up to and including termination.” At least that's the usual spiel. However you decide to word the agreement, you should stress the importance of information security and that employees can and should be proactive in helping to maintain a secure environment. After all, they have a vested interest. If someone's lax attitude results in the exploitation of sensitive customer information, your business could be slapped with a lawsuit. Then everybody loses their job...or worse. How do you look in an orange jumpsuit?

Keep in mind that policies can (and should) change as your business changes. Policy changes should be implemented quickly in order to "plug" any possible security holes. These changes may also be necessary if an existing policy is not working as intended. Assessments should be made on a regular basis so that issues can be identified BEFORE they become a problem or liability. Stick to these simple guidelines to ensure that your business environment continues to be protected from the inside out.