TL;DR
Security policies should be explained before an employee starts work and reinforced regularly throughout their employment. Initial onboarding is critical, but ongoing training and reminders are essential to maintain a strong cyber security posture.
Explaining Security Policies: A Step-by-Step Guide
- Pre-Employment (Offer Stage)
- Acceptable Use Policy Acknowledgement: Include a link to your Acceptable Use Policy (AUP) in the offer letter or onboarding documents. Require candidates to acknowledge they’ve read and understood it before accepting the position. This doesn’t need to be exhaustive, just confirmation of awareness.
- Basic Data Protection Notice: Briefly explain how you handle personal data during recruitment (e.g., CVs, interview notes) in line with GDPR or other relevant privacy laws.
- First Day/Onboarding (Critical Phase)
- Comprehensive Policy Review: Dedicate time to walk through key security policies. This should be a dedicated session, not rushed as part of general HR onboarding.
- Password Management: Explain requirements for strong passwords, password changes, and the use of password managers (if provided).
Example Policy Snippet: Passwords must be at least 12 characters long, contain a mix of uppercase/lowercase letters, numbers, and symbols, and be changed every 90 days. - Data Security & Classification: Explain how data is classified (e.g., confidential, internal use only, public) and the rules for handling each type.
- Email & Communication Security: Cover phishing awareness, safe email practices, and acceptable communication channels.
- Device Security: If company devices are used, explain policies around device usage, software updates, and reporting lost/stolen devices. If BYOD (Bring Your Own Device) is allowed, detail the security requirements for personal devices accessing company data.
- Physical Security: Explain procedures for building access, visitor management, and protecting physical assets.
- Incident Reporting: Clearly explain how to report security incidents or suspected breaches. Provide contact information (e.g., IT helpdesk, cyber security team).
- Policy Documentation & Sign-off: Provide employees with a written copy of all policies and require them to sign an acknowledgement form confirming they’ve read and understood the rules. Keep this on file.
- Ongoing Training (Reinforcement)
- Regular Security Awareness Training: Conduct regular training sessions (e.g., quarterly, annually) to reinforce security best practices. Use real-world examples and simulations (like phishing tests).
- Phishing Simulations: Regularly test employees with simulated phishing emails to assess their awareness and identify areas for improvement.
Example Simulation Tool: Gophish - Policy Updates & Communication: Whenever security policies are updated, communicate the changes clearly to all employees and require them to re-acknowledge the revised documentation.
- Role-Specific Training: Provide additional training tailored to specific roles and their associated security risks (e.g., developers need secure coding training).
- During Employment (Reminders & Updates)
- Security Newsletters/Tips: Share regular security news, tips, and reminders via email or internal communication channels.
- Incident Response Drills: Conduct periodic incident response drills to test the effectiveness of your procedures and employee preparedness.