RE: OT - Acceptable Use Policy Legality

["Rick Shaw" <rick () corpnetsecurity com>]

All,

Andy is absolutely correct.

However, in today's digital world, we hear experts everyday saying "just do
it" when it comes to developing policies, implementing policies, enforcing
policies and most importantly educating employees about policies.

We see HIPAA and GLB Act guidelines that say 'train staff - including
management, employees, vendors and business associates'.

So how do you accomplish the education and implementation and enforcement on
an ongoing basis effectively and efficiently?  You can try to train staff in
conference rooms using speakers, consultants, video tapes, and CBT, but how
do you show due diligence? how can you show that each employee truly
understands and has agreed to comply with each of your company policies and
procedures?  how do you show your compliance auditors that your organization
is providing effective ongoing awareness training to every employee?

The real key is to have dynamic and continuously updated information that
can be accessed by any staff member at any time from anywhere...  In today's
digital world, utilizing the Internet or Intranet for distribution of
educational content that is developed by professional Information Security
expertise for end-users along with a service that reports each employee's
progress is the best way to address the #1 security threat we all face.

Rick Shaw
CorpNet Security
www.corpnetsecurity.com
"Trust.no.one....Train.everyone"

> -----Original Message-----
> From: firewall-wizards-admin () nfr com
> [mailto:firewall-wizards-admin () nfr com]On Behalf Of Andy Wigglesworth
> Sent: Friday, November 17, 2000 7:11 PM
> To: 'Jeff Newton'; firewall-wizards () nfr com
> Subject: RE: [fw-wiz] OT - Acceptable Use Policy Legality
>
>
> Yes...Policies need to be signed. You need it as proof that the employee
> knows and understands the policy. Personally, I don't think that
> just having
> them sign it is enough. More and more lately the courts are
> finding that way
> to.
>
> I like to think of the process of policy development with 4 E's
> Evaluate....the corporate culture
> Establish.. the policies to match the culture
> Educate... the end users in regards to the polices
> Enforce... the polices with IT tools such as Firewalls, Anti-Virus,
> Content Scanning, URL Filtering, etc....
>
> Where most companies fail in policy development is with the 3rd E,
> educating the end users in regards to the policies. Lets build a little
> scenario for you. Joe in accounting has been going to web sites that the
> company has
> decided to be inappropriate for Joe to go to.  Joe has been warn ( talk
> to) to stop yet he has not. Joe is fired. Joe turns around and sues the
> company for wrongful termination. The reason, Joe says, is that he was
> unaware of the company polices in regard to this. What the courts are
> going to look for are the following:
>
> Were there polices in place to begin with....Yes there was
> Were there tools put in place to enforce the polices....Yes there was
> Were there any form of education for the end users in regards to the
> policies beside the company handbook that Joe was given when he was
> hired..No, there wasn't
>
>  Find some way to educate the end users.  Not just once, for that is not
> enough in most courts, but on a scheduled time....maybe quarterly, in
> regards to policy. I do know of a few programs that do just that if you
> would like to know about them.
>
> After all of this, the enforcement of the policies, from a corporate
> standpoint, becomes allot easier. All that is left is for IT to pick the
> best products to work with ( for they will have to manage these products
> and enforce the polices on the back end ).
>
> Andy Wigglesworth
> CONQWEST, Inc
> ~Policy First~
> http://www.conqwest.com
>
> -----Original Message-----
> From: firewall-wizards-admin () nfr com
> [mailto:firewall-wizards-admin () nfr com]On Behalf Of Jeff Newton
> Sent: Thursday, November 16, 2000 8:05 PM
> To: firewall-wizards () nfr com
> Subject: [fw-wiz] OT - Acceptable Use Policy Legality
>
>
>
> I'm looking for information regarding the legality of an AUP.  Is it
> absolutely necessary to have every employee sign it or is it
> sufficient to indicate the AUP is a condition of employment?
>
> Can anyone offer some insight on the topic?  Any lawyers in the crowd?
>
> Cheers,
>
> ----
> Jeff Newton
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://www.nfr.com/mailman/listinfo/firewall-wizards
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://www.nfr.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards