Employees need to be made aware of and adhere to
organisational security policies to help with the prevention, detection and
reaction to potential threats. Employees should understand security policy
standards, procedures, baselines, and guidelines.
New employees should be trained on security policy as soon
as possible, ideally prior to accessing the organisational network. If it is
not possible for new employees to be fully trained immediately, then they
should at least be made aware of key points within a starter pack or induction.
It is critical that employees are informed of
the seriousness of cybersecurity, and the potential consequences and damages if
policies are not adhered to. On
completion of training, employees should be certified after a brief assessment,
to demonstrate they understand the organisational security policies. Existing employees
should be required to periodically refresh their security policy training, for
example, biannually or annually, dependent on the sensitivity of data handled.
Basic aspects of a security policy that should be explained
to all employees include, but are not limited to:
Acceptable Usage Policy: Should explain
how employees may use organisational resources and detail restrictions, such as
not using organisational resources for non-business-related purposes.
Policy: Should explain data classification levels and handling
procedures at each level. Commercial classification levels could be listed as
public, private, and restricted.
Password Policy: May provide detail
on password rules, expiration limits, secure usage etc.
Email Policy: Should define email usage
for employees e.g. only secure company email should be used for business
purposes, and the use of private email accounts is not allowed.
Mobile Devices: Should provide
detail on security levels to be implemented on mobile devices containing
organisational data, such as encryption, remote erase capabilities, pin code locks
Clean Desk Policy: Media containing sensitive
information such as notebooks, sticky notes etc should be secured and not left on