Forcing Users To Review Information Security Polic...

tim2 · ‎08-19-2020

I am looking for a way to hold the departments accountable and ensure they atleast review the policies that we have. I was thinking about using adobe sign but don't want to go cloud. An application like those that make you scroll to the end then click agree would be nice if it kept track of the people who signed. I'm looking for any recommendations, we have hundreds of users and docs.

tmekelburg1 · ‎08-20-2020

We use our payroll/HR software to disseminate that information. They login and are notified they have a message, view the document, and when they click "OK" it acknowledges that fact that the document has been viewed and saves a log per user. We can have the messages come up on the time clocks as well when they initially clock in. It will say something the the effect of, "Please login into your *** account and view your messages".

Steve-Wilme · ‎08-20-2020

You could look at a tool like Metacompliance, however reading a long policy isn't usually top of people's agenda in many organisations, so unless it's a complete re-write it may make sense to just annouce the delta.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS

dcontesti · ‎08-20-2020

Agree with Steve, make it part of your corporate training program with maybe a short quiz.

d

sergeling · ‎08-21-2020

I'm curious why the users have to sign to show they review the policy. When an employee agreed to work in the company, they have agreed (and signed) that they will comply with the company policy (which include Information Security Policy). If there's update on the Information Security Policy and it's announced, why do employee have to sign for it again?

For example, if the company update the information security policy and implement change on the system to comply with GDPR, I don't like the change, never sign, and later on cause company financial loss due to non-compliance with GDPR, does that exempt me from any responsibilities/liabilities since I never sign/acknowledge?

tmekelburg1 · ‎08-21-2020

@sergeling wrote:
I'm curious why the users have to sign to show they review the policy. When an employee agreed to work in the company, they have agreed (and signed) that they will comply with the company policy (which include Information Security Policy). If there's update on the Information Security Policy and it's announced, why do employee have to sign for it again?

For example, if the company update the information security policy and implement change on the system to comply with GDPR, I don't like the change, never sign, and later on cause company financial loss due to non-compliance with GDPR, does that exempt me from any responsibilities/liabilities since I never sign/acknowledge?

It's all about accountability, non-repudiation, and litigation. It's easy for someone to lie and say they didn't know, especially if their job is in jeopardy. Best practice is to have some kind of acknowledgement between the staff and employer to protect everyone involved. Plus it's a great way to make sure everyone is aware of your policy before it goes into effect. The signature or acknowledgment is not if you agree, it's that you are aware of the policy.

rslade · ‎08-22-2020

> sergeling (Newcomer III) posted a new reply in Tech Talk on 08-21-2020 02:59 PM

> I'm curious why the users have to sign to show they review the policy. When an
> employee agreed to work in the company, they have agreed (and signed) that they
> will comply with the company policy (which include Information Security Policy).

It is, or may become, a legal issue, and, like all legal issues, the only real answer it,
"It depends."

There are cases extent (and that means case law, and precendent [unless you are in
Louisiana or California, or some other civil law legal system] [and even then there
might be jurisdictional issues]) where someone argued that, yes, they agreed to
work for the company, but they didn't know there was X policy. And then othr
cases where they argued that they knew about X policy, but didn't agree with it.
Or that they didn't know it applied to them. Or that they didn't know the details
of X policy.

So, some companies have employees sign off, specifically, that they have received
the comnpany policy. And some have employees sign off that they have read and
agree to the company policies. And some even have employees sign off that they
have received and read the company policy, and then take an exam (that they
have to pass with XX% rate correct) before they get their ID and login.

It depends.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
Isn't it funny how day by day nothing changes, but when you look
back, everything is different. - C. S. Lewis
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468

sergeling · ‎08-24-2020

>>The signature or acknowledgment is not if you agree, it's that you are aware of the policy.

Yes. I understand if there's new policy came out that never existed before when the employee was hired, it should be signed. Or when a new employee come on-board, they should read and sign to agree to company policy; but if it's an existing policy making update, it still require signature?

>>There are cases extent (and that means case law, and precendent [unless you are in
Louisiana or California, or some other civil law legal system] [and even then there
might be jurisdictional issues]) where someone argued that, yes, they agreed to
work for the company, but they didn't know there was X policy. And then other
cases where they argued that they knew about X policy, but didn't agree with it.
Or that they didn't know it applied to them. Or that they didn't know the details
of X policy

I guess it gets tricky when it comes to legal issue. It's like saying if a new employee never sign off on sexual harassment training and it happened, what then? If the new employee never finish Diversity training and complain happened, what then? Can the employee claim they never had proper education and not be responsible for their actions?

tmekelburg1 · ‎08-24-2020

@sergeling wrote:
>>The signature or acknowledgment is not if you agree, it's that you are aware of the policy.

Yes. I understand if there's new policy came out that never existed before when the employee was hired, it should be signed. Or when a new employee come on-board, they should read and sign to agree to company policy; but if it's an existing policy making update, it still require signature?

Any updates to existing policy should require some form of acknowledgment from staff. There are other ways of confirming besides a physical signature on paper. For example, we upload the policy into our HR/payroll software for acknowledgment and with a simple click of a button, it's done.

ericgeater · ‎08-29-2020

Agreeing with tmelekburg1 on leveraging cloud payroll provider. This is effective for us, because we can specifically address the changes to every user, including a record of their acknowledgement.

-----------
A claim is as good as its veracity.

Forcing Users To Review Information Security Policies