RE: How to distribute corporate policies {Scanned}

["Josh Redmond" <josh () brentredmond com>]

Nick,

I'm sure everyone will have their own methods, but here's my experience.
SANS actually has some really good guidelines on this.

See...

http://www.sans.org/resources/policies/?portal=29051800d348bf21195e6924ed7fd
ea4

I actually ended up adopting a "canned" AUP that they had available for use.

However, I feel distribution is key.  A good unknown or miss-understood
policy will achieve nothing.  I've chosen two methods for the company I work
for.

1.      Added a link to the corporate AUP on the intranet site.  Also,
enforced group policy to make sure everyone had the intranet site as the
homepage.  (IT task)

2.      Incorporated the AUP into the company handbook as an amendment.
Everyone had to sign to acknowledge receipt, as with any other amendment.
(HR task)

Things I have chosen not to do that you may consider...

1.      Indicate during login that use of company equipment is subject to
the AUP and reference it's location.

2.      If the policy is internet based rather then "general use" you may
also write script and/or a GPO to have the user acknowledge the AUP when
opening the web browser or other internet aware applications.

3.      Place a label on the equipment reminding users that they are subject
to the AUP with a location reference.

The list here goes on.  I've only chosen to do a very basic approach because
in my opinion being over-zealous with inundating the user with policy
reminders can be counter productive.  They may end up simply writing it off
as "spam" because it becomes more noise to deal with in the work day.  I
find that users will often educate themselves more effectively once one of
them becomes an example of policy abuse and is penalized.  Then the lesson
sets in for real.  I'm not sure of too many ways to avoid that situation.
But, having an organization-wide meeting with key upper management making
the policy(s) known to the world may be a best bet.  At least that way users
know that the policy change/implementation is fully sponsored by upper
management and they shouldn't take it for granted that it's the IT guys
"job."

I'm also curious to see others give feedback on your inquiry.  I deal with
these issues regularly and I'm always looking for more input.

Thanks!

Josh Redmond


-----Original Message-----
From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com]On Behalf Of Nick Duda
Sent: Thursday, October 12, 2006 9:59 AM
To: security-basics () securityfocus com
Subject: How to distribute corporate policies {Scanned}



I'm curious as to how other corporations distribute its InfoSec policies
to its employees. A task I will be faced with soon is distributing
(making known) corporate policies such as Acceptable Use, Password,
AntiVirus....etc. For them to abide by policy they need to know about
them. Should they also sign them? That would be a lot of paper, or
should they just be placed on an intranet type of setup to view.

If that's the case (intranet) what are methods of announcing them and
future new policies as they are written, email? I'm looking for opinions
and how others do this.
Regards,
Nick


---------------------
Confidentiality note
The information in this email and any attachment may contain confidential
and proprietary information of VistaPrint and/or its affiliates and may be
privileged or otherwise protected from disclosure. If you are not the
intended recipient, you are hereby notified that any review, reliance or
distribution by others or forwarding without express permission is strictly
prohibited and may cause liability. In case you have received this message
due to an error in transmission, please notify the sender immediately and
delete this email and any attachment from your system.
---------------------

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Attachment: msg-2979-381.txt
Description:

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------