topic Forcing Users To Review Information Security Policies in Tech Talk

Forcing Users To Review Information Security Policies

tim2 — Mon, 09 Oct 2023 09:37:06 GMT

I am looking for a way to hold the departments accountable and ensure they atleast review the policies that we have. I was thinking about using adobe sign but don't want to go cloud. An application like those that make you scroll to the end then click agree would be nice if it kept track of the people who signed. I'm looking for any recommendations, we have hundreds of users and docs.

Re: Forcing Users To Review Information Security Policies

tmekelburg1 — Thu, 20 Aug 2020 14:03:49 GMT

We use our payroll/HR software to disseminate that information. They login and are notified they have a message, view the document, and when they click "OK" it acknowledges that fact that the document has been viewed and saves a log per user. We can have the messages come up on the time clocks as well when they initially clock in. It will say something the the effect of, "Please login into your *** account and view your messages".

Re: Forcing Users To Review Information Security Policies

Steve-Wilme — Thu, 20 Aug 2020 14:13:58 GMT

You could look at a tool like Metacompliance, however reading a long policy isn't usually top of people's agenda in many organisations, so unless it's a complete re-write it may make sense to just annouce the delta.

Re: Forcing Users To Review Information Security Policies

dcontesti — Thu, 20 Aug 2020 14:18:16 GMT

Agree with Steve, make it part of your corporate training program with maybe a short quiz.

Re: Forcing Users To Review Information Security Policies

sergeling — Fri, 21 Aug 2020 18:59:28 GMT

I'm curious why the users have to sign to show they review the policy. When an employee agreed to work in the company, they have agreed (and signed) that they will comply with the company policy (which include Information Security Policy). If there's update on the Information Security Policy and it's announced, why do employee have to sign for it again?

For example, if the company update the information security policy and implement change on the system to comply with GDPR, I don't like the change, never sign, and later on cause company financial loss due to non-compliance with GDPR, does that exempt me from any responsibilities/liabilities since I never sign/acknowledge?

Re: Forcing Users To Review Information Security Policies

tmekelburg1 — Fri, 21 Aug 2020 19:17:49 GMT

@sergeling wrote:
I'm curious why the users have to sign to show they review the policy. When an employee agreed to work in the company, they have agreed (and signed) that they will comply with the company policy (which include Information Security Policy). If there's update on the Information Security Policy and it's announced, why do employee have to sign for it again?

For example, if the company update the information security policy and implement change on the system to comply with GDPR, I don't like the change, never sign, and later on cause company financial loss due to non-compliance with GDPR, does that exempt me from any responsibilities/liabilities since I never sign/acknowledge?

It's all about accountability, non-repudiation, and litigation. It's easy for someone to lie and say they didn't know, especially if their job is in jeopardy. Best practice is to have some kind of acknowledgement between the staff and employer to protect everyone involved. Plus it's a great way to make sure everyone is aware of your policy before it goes into effect. The signature or acknowledgment is not if you agree, it's that you are aware of the policy.

Re: Forcing Users To Review Information Security Policies

rslade — Sat, 22 Aug 2020 16:34:48 GMT

> sergeling (Newcomer III) posted a new reply in Tech Talk on 08-21-2020 02:59 PM

> I'm curious why the users have to sign to show they review the policy. When an
> employee agreed to work in the company, they have agreed (and signed) that they
> will comply with the company policy (which include Information Security Policy).

It is, or may become, a legal issue, and, like all legal issues, the only real answer it,
"It depends."

There are cases extent (and that means case law, and precendent [unless you are in
Louisiana or California, or some other civil law legal system] [and even then there
might be jurisdictional issues]) where someone argued that, yes, they agreed to
work for the company, but they didn't know there was X policy. And then othr
cases where they argued that they knew about X policy, but didn't agree with it.
Or that they didn't know it applied to them. Or that they didn't know the details
of X policy.

So, some companies have employees sign off, specifically, that they have received
the comnpany policy. And some have employees sign off that they have read and
agree to the company policies. And some even have employees sign off that they
have received and read the company policy, and then take an exam (that they
have to pass with XX% rate correct) before they get their ID and login.

It depends.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
Isn't it funny how day by day nothing changes, but when you look
back, everything is different. - C. S. Lewis
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

Re: Forcing Users To Review Information Security Policies

sergeling — Mon, 24 Aug 2020 13:22:36 GMT

>>The signature or acknowledgment is not if you agree, it's that you are aware of the policy.

Yes. I understand if there's new policy came out that never existed before when the employee was hired, it should be signed. Or when a new employee come on-board, they should read and sign to agree to company policy; but if it's an existing policy making update, it still require signature?

>>There are cases extent (and that means case law, and precendent [unless you are in
Louisiana or California, or some other civil law legal system] [and even then there
might be jurisdictional issues]) where someone argued that, yes, they agreed to
work for the company, but they didn't know there was X policy. And then other
cases where they argued that they knew about X policy, but didn't agree with it.
Or that they didn't know it applied to them. Or that they didn't know the details
of X policy

I guess it gets tricky when it comes to legal issue. It's like saying if a new employee never sign off on sexual harassment training and it happened, what then? If the new employee never finish Diversity training and complain happened, what then? Can the employee claim they never had proper education and not be responsible for their actions?

Re: Forcing Users To Review Information Security Policies

tmekelburg1 — Mon, 24 Aug 2020 15:23:01 GMT

@sergeling wrote:
>>The signature or acknowledgment is not if you agree, it's that you are aware of the policy.

Yes. I understand if there's new policy came out that never existed before when the employee was hired, it should be signed. Or when a new employee come on-board, they should read and sign to agree to company policy; but if it's an existing policy making update, it still require signature?

Any updates to existing policy should require some form of acknowledgment from staff. There are other ways of confirming besides a physical signature on paper. For example, we upload the policy into our HR/payroll software for acknowledgment and with a simple click of a button, it's done.

Re: Forcing Users To Review Information Security Policies

ericgeater — Sat, 29 Aug 2020 14:33:33 GMT

Agreeing with tmelekburg1 on leveraging cloud payroll provider. This is effective for us, because we can specifically address the changes to every user, including a record of their acknowledgement.

Re: Forcing Users To Review Information Security Policies

thegsmith — Tue, 01 Sep 2020 11:52:44 GMT

We tack on the signing documents onto our annual security awareness training. They have to complete the training in order to not have their domain account disabled, and part of that is acknowledging the documents.

Re: Forcing Users To Review Information Security Policies

trueshrew — Wed, 09 Sep 2020 19:05:26 GMT

Bingo! Sign off on policy or you lose access to the network/resource covered by the policy.

When in doubt add a technical control to enforce an administrative control.

Re: Forcing Users To Review Information Security Policies

JulienB — Mon, 05 Oct 2020 14:36:34 GMT

It is indeed good to manage documents properly, certification like ISO are asking for a good document management system.

On my side we are using a metadata frame that we put at the bottom of each document we manage (within Confluence). Then a script goes looking for specific values as part of the frame such as Document Owner, Last Review Data, Approver and others all are text fields. In the end the Document Owner is receiving the findings from the above script within an email and this on a regular basis until s\he corrects them.

Re: Forcing Users To Review Information Security Policies

Vasan — Sun, 25 Oct 2020 15:55:52 GMT

Try CBT training and include ask part of their KPI as well. My current company has a lot of CBT trainings, and users need to complete it by certain time. Failure to do so, will be escalated to upper management. Also giving the policies owners some sort of metrics on their current understanding of the polices and procedures...

Re: Forcing Users To Review Information Security Policies

CISOScott — Thu, 29 Oct 2020 13:36:44 GMT

We use our agency's Learning Management System (LMS). It is the same system we assign mandatory training. every year each employee has to go in an acknowledge all of the applicable policies. Easy to track and enforce completion.

As to the why. It is important if you are going to take any HR action against an employee that you ensure they are aware of the policy that you are going to penalize them for. For example we turned on USB blocking two years ago. We did not announce we were doing it. I did this on purpose. We sent out a notice after the fact stating that if they needed it for work purposes they could submit a helpdesk ticket along with their supervisor's approval. This allowed us several things: For one it would let me know who was doing it by the amount of people screaming that they can't do it anymore. This would allow me to ask them what they needed USB access for (and we found a WHOLE bunch of PII violations were going on that we weren't aware of). We became aware of lots of unapproved use and the need for further training our employees. Submitting a ticket would force them to go on the record stating they were only using it for business use, and state what that business use was, and that their supervisor approved it. We had one person that submitted a ticket stating she needed it for business use. We later found out that she had a side job working for a city council and she was using her work computer to do work for them. This was a clear violation of our policies. We were able to take HR action against her because she had submitted a helpdesk ticket saying she needed USB access for business use. So there is a definite need to require acknowledgement.