December 15th, 2003, 08:36 PM
? about policies for security admins.
I work for a financial institution and we are required to maintain policies for everything from Data Encryption standards to Acceptable VPN and Wireless usage. I recently was asked by auditors to provide some sort of evidence that my users had read and accepted every policy that pertains to them. Of course this is going to be a big pain in the butt.
How do you all handle policy distribution and make sure that everyone that needs to read a certain policy has read, understands and has accepted it? I was thinking about developing an intranet application to help with this, but was wondering if there was already a similar solution available out there?
Don\'t hate the player... Hate the game!
December 15th, 2003, 08:41 PM
Once a year every employee has to sign a "Code of Ethics" document, this document has reference to all applicable policies, by signing the Code of Ethics, you are agreeing that you have read all relevant polices and accept all terms and conditions.
December 15th, 2003, 08:53 PM
Yes, there is a marvellous tool out there..................it is called the payroll
They get a payslip at least once a month? they all have a box for messages? you need to set up an intranet page with a form that they either electronically or print and manually sign.
The message on the payslip is simple: "sign up by XXXXXXXX or you will not see another one of these"
You can also provide pop-up reminders when they log on, until they have complied and are taken off the list.
If they are external auditors then you have no problems if your EVP finance is on your side.....your corporation's fees are more important than your policies........fire them at HR....they are the ones who employ the crooks in your department?
None of this will prevent another Enron
December 15th, 2003, 09:04 PM
Aren't auditors fun?
We have to maintain similar documents, but we don't have the same level of stress over it as financial institutions. In any case, HR is required to provide the documents, and the time to review them to the new employee. That covers you for the first exposure. However, with updates, changes and new policy, how to get that across to employees and prove that you did it.
Nihil's idea of payroll/web/intranet tools makes a lot of sense. If an employee of a financial institution isn't paying attention to IT and org policy, then that employee needs to find another job in another industry.
Just my nickle's worth, as oppose to nihil's tuppence.
With the exchange, that's about the same.
December 16th, 2003, 12:04 AM
mmm... I don't know about anyone else but the major stumbling block we have come across is the fact that it is relatively easy to change records if they are kept electronically. Our company regularly gets inspected by FDA, BSI and a few others - FDA and BSI have insisted that we keep paper copies of our training records (these include agreeing and adhering to relevant company policies) signed by the relevant employees and that they are kept up to date. I would love to have our records kept electronically on a permananent basis (would get rid of so much paper) - I know there are ways to show that a file has not been altered but not all regulatory bodies are quite so quick on the uptake to digital media - I'm wondering if you will face similar problems being as you work for a financial institute.
Quis Custodiet Ipsos Custodes
December 16th, 2003, 04:52 PM
Hi there Slim and the rest of you. We (me and Nihil among others) had a similar discussion a little while back here at AO. The thread is located here if you want to take a look. Who knows, you might find something of interest if you're lucky.
[shadow] Nobody\'s perfect, but I\'m damn close...[/shadow]
December 16th, 2003, 06:37 PM
Case point for quick fix. This is tough but it worked. I e-mail an acceptable use policy to the entire company. State that wihtout this policy the company, and your user data is at great and terrible risk to hackers. Make it sound sincere and scare them.
Then state, if I do not have a signed copy printed and mailed back to me within 15 days, network access will be suspended. Of course you have to have a written policy to back it up. Here's some ...
or here if you want and entire system already type in native word formats, expensive but worth man hour costs.
Alex has some good stuff but is expensive and their telemarketers will drive you nuts, may get you up to speed fast though...
December 22nd, 2003, 11:09 AM
Following on from the advice above, we too only allow access to the network if employees sign up to our Security Policies document. In the first instance, a username and pasword is not supplied by the SysAdmin until they have received a signed copy of the doc from the employee. Thereafter, they have to re-sign every 6 months. Failure to do so within two weeks results in the suspension of their access to the network until a signed declaration is received. To ease this, we allow electronic copies of the document to be circulated (via either email or intranet), but a paper copy of the declaration (one single a4 sheet) must be signed by the user and returned to the SysAdmin. This keeps the paper down to a minimum while comlying with audit requirements.
December 22nd, 2003, 01:23 PM
hmm or u can always do what i did. i just wrote up 1 page of contract which preety much covers things in GENERAL, and a booklet which goes things through details. give everyone each a copy, have them sign the contract and they keep the booklet. ofcourse i did the documentation, i guess u can always hire someone to do the documentation but if u are doing the implemetation of the policies, u better do it urself.
December 22nd, 2003, 05:35 PM
In case anyone hasn't taken a look at this book, it is a great investment.
"Information Securith Policies made Easy"
Its pretty expensive, around $800, but it'll save your job in the long run..