Security Basics mailing list archives
RE: How to distribute corporate policies {Scanned}
From: "Josh Redmond" <josh () brentredmond com>
Date: Fri, 13 Oct 2006 14:02:51 -0700
Nick, I'm sure everyone will have their own methods, but here's my experience. SANS actually has some really good guidelines on this. See... http://www.sans.org/resources/policies/?portal=29051800d348bf21195e6924ed7fd ea4 I actually ended up adopting a "canned" AUP that they had available for use. However, I feel distribution is key. A good unknown or miss-understood policy will achieve nothing. I've chosen two methods for the company I work for. 1. Added a link to the corporate AUP on the intranet site. Also, enforced group policy to make sure everyone had the intranet site as the homepage. (IT task) 2. Incorporated the AUP into the company handbook as an amendment. Everyone had to sign to acknowledge receipt, as with any other amendment. (HR task) Things I have chosen not to do that you may consider... 1. Indicate during login that use of company equipment is subject to the AUP and reference it's location. 2. If the policy is internet based rather then "general use" you may also write script and/or a GPO to have the user acknowledge the AUP when opening the web browser or other internet aware applications. 3. Place a label on the equipment reminding users that they are subject to the AUP with a location reference. The list here goes on. I've only chosen to do a very basic approach because in my opinion being over-zealous with inundating the user with policy reminders can be counter productive. They may end up simply writing it off as "spam" because it becomes more noise to deal with in the work day. I find that users will often educate themselves more effectively once one of them becomes an example of policy abuse and is penalized. Then the lesson sets in for real. I'm not sure of too many ways to avoid that situation. But, having an organization-wide meeting with key upper management making the policy(s) known to the world may be a best bet. At least that way users know that the policy change/implementation is fully sponsored by upper management and they shouldn't take it for granted that it's the IT guys "job." I'm also curious to see others give feedback on your inquiry. I deal with these issues regularly and I'm always looking for more input. Thanks! Josh Redmond -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]On Behalf Of Nick Duda Sent: Thursday, October 12, 2006 9:59 AM To: security-basics () securityfocus com Subject: How to distribute corporate policies {Scanned} I'm curious as to how other corporations distribute its InfoSec policies to its employees. A task I will be faced with soon is distributing (making known) corporate policies such as Acceptable Use, Password, AntiVirus....etc. For them to abide by policy they need to know about them. Should they also sign them? That would be a lot of paper, or should they just be placed on an intranet type of setup to view. If that's the case (intranet) what are methods of announcing them and future new policies as they are written, email? I'm looking for opinions and how others do this. Regards, Nick --------------------- Confidentiality note The information in this email and any attachment may contain confidential and proprietary information of VistaPrint and/or its affiliates and may be privileged or otherwise protected from disclosure. If you are not the intended recipient, you are hereby notified that any review, reliance or distribution by others or forwarding without express permission is strictly prohibited and may cause liability. In case you have received this message due to an error in transmission, please notify the sender immediately and delete this email and any attachment from your system. --------------------- --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus --------------------------------------------------------------------------- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Attachment:
msg-2979-381.txt
Description:
--------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- How to distribute corporate policies Nick Duda (Oct 13)
- RE: How to distribute corporate policies Robert D. Holtz - Lists (Oct 15)
- RE: How to distribute corporate policies {Scanned} Josh Redmond (Oct 15)
- <Possible follow-ups>
- Re: How to distribute corporate policies krymson (Oct 13)
- RE: How to distribute corporate policies Hagen, Eric (Oct 15)
- RE: How to distribute corporate policies Dickman, Jeff (Oct 15)