I am looking for a way to hold the departments accountable and ensure they atleast review the policies that we have. I was thinking about using adobe sign but don't want to go cloud. An application like those that make you scroll to the end then click agree would be nice if it kept track of the people who signed. I'm looking for any recommendations, we have hundreds of users and docs.
We tack on the signing documents onto our annual security awareness training. They have to complete the training in order to not have their domain account disabled, and part of that is acknowledging the documents.
Bingo! Sign off on policy or you lose access to the network/resource covered by the policy.
When in doubt add a technical control to enforce an administrative control.
It is indeed good to manage documents properly, certification like ISO are asking for a good document management system.
On my side we are using a metadata frame that we put at the bottom of each document we manage (within Confluence). Then a script goes looking for specific values as part of the frame such as Document Owner, Last Review Data, Approver and others all are text fields. In the end the Document Owner is receiving the findings from the above script within an email and this on a regular basis until s\he corrects them.
Try CBT training and include ask part of their KPI as well. My current company has a lot of CBT trainings, and users need to complete it by certain time. Failure to do so, will be escalated to upper management. Also giving the policies owners some sort of metrics on their current understanding of the polices and procedures...
We use our agency's Learning Management System (LMS). It is the same system we assign mandatory training. every year each employee has to go in an acknowledge all of the applicable policies. Easy to track and enforce completion.
As to the why. It is important if you are going to take any HR action against an employee that you ensure they are aware of the policy that you are going to penalize them for. For example we turned on USB blocking two years ago. We did not announce we were doing it. I did this on purpose. We sent out a notice after the fact stating that if they needed it for work purposes they could submit a helpdesk ticket along with their supervisor's approval. This allowed us several things: For one it would let me know who was doing it by the amount of people screaming that they can't do it anymore. This would allow me to ask them what they needed USB access for (and we found a WHOLE bunch of PII violations were going on that we weren't aware of). We became aware of lots of unapproved use and the need for further training our employees. Submitting a ticket would force them to go on the record stating they were only using it for business use, and state what that business use was, and that their supervisor approved it. We had one person that submitted a ticket stating she needed it for business use. We later found out that she had a side job working for a city council and she was using her work computer to do work for them. This was a clear violation of our policies. We were able to take HR action against her because she had submitted a helpdesk ticket saying she needed USB access for business use. So there is a definite need to require acknowledgement.