Employee Security Policy (Cyber Security Part 2)

Support Silicon Dojo at: https://www.donorbox.org/etcg http://www.silicondojo.com/ Employee Security Policy Culture Employee Bonding and Buy In Relationships are worth more than products People telegraph their intentions, fire them BEFORE they become a problem Seek to understand employee problems and then find where YOU can yield Managers are employees too… Build a network of influencers and get their buy-in IT and the CEO What does the CEO envision What are the CEO’s goals What are the CEO’s priorities IT and HR Understand the hiring and firing process Understand what issues HR is having Understand what the rules and laws are for employers IT and Legal Understand what the legal priorities of the company are Understand what regulations effect your company. HIPPA, PCI Create a connection so when asked to do something questionable you have someone to call IT and Marketing Understand what data Marketing wants Understand what systems Marketing uses IT and Employees Understand what the employees are supposed to do Understand what the employees actually do Understand Pain Points Acceptable Use Policy Tell your employees what is and is not acceptable use of electronics equipment. Have them sign the dotted line… Many free templates available. Don’t just copy/ paste a template. Think about what you are telling your employees to sign. Stupid contracts breed contempt…. Written Employee Policies Having written policies keeps everyone on the same page Written policies make discipline easier Have a formal review process for policies with timed revisions and updates Social Media Policy “Cancel Culture” is real Make sure employees understand where the company stands Do you want employees putting who they currently work for on social media? DON’T FRIEND COWORKERS Standards for Discipline Rules NEED punishments Document what the punishments are, and why they are implemented. Make discipline actions as public as possible (Legal considerations) “Discretion” is “racism/ sexism/ ableism/ ismism” Worth the Argument? Some times “because” is an appropriate answer In Debate Culture YOU LOSE Fighting is more fun than working… Deal with in PRIVATE Business is a decision, what do both sides actually care about Separation of Authority No one person to blame “I would, but… THEY won’t let me” Digital Surveillance (Video and Audio) Email Scanning Scan emails for objectionable words, bounce back emails and notify that the email was logged. Communication is about more than “email” BYOD Issues If THEY own it what rules can you have? Create separate networks for BYOD Build a ZERO TRUST infrastructure Shadow IT Why are employees using Shadow IT? What Pain Point is Shadow IT solving? Bring Shadow IT into the light. Shadow IT NEEDS consequences White List/ Black Lists and DNS Use DNS filters and such to prevent users from going to inappropriate sites on company equipment. Give employees a safe passage with guest network access for their BYOD System Auditing Have systems continuously audit the infrastructure User logons Device Discovery Available Network Services SSID’s Asset Tracking Create process for Asset Tracking If a laptop is stolen would you know? Physical Access Control Locks keep good people from doing stupid things Create access control between departments, building floors, and IT infrastructure Create a process for gaining access Audit who has access to what areas Logs and Real Time Notifications Create systems to notify admins in real time about security issues Disabling Terminated Employees Zombie Accounts are a HUGE problem “Security” is about more than firewall ports. Create a Coffee Budget