3 minute read
CYBER SECURITY OUTLOOK
Policy Matters: Creating Cybersecurity Policies that Won’t Weigh Employees Down
By Ken Fanger, MBA, CMMC-RP, President, On Technology Partners
I still recall (many years ago) when I started my first day at a Fortune 500 company. As I admired my shiny new cubicle, a friendly HR representative approached me with a very large book in her hands. My enthusiasm crashed as I read the cover: “Employee Manual.” She explained the importance of reading the entire book, as they would expect that I was fully aware of all policies.
This manual was a big, blue binder with over 200 pages of all the things I was not allowed to do. There was never a chance I was going to read any of it. The moment she left my cubicle, I took that huge book and retired it to its new permanent home, the lowest shelf I could find.
Throughout all of my employment at this company, I never saw that book opened or referenced once, either by myself or any of the many colleagues I interacted with as a technician. While the information could have been useful, I would never know because the content was unapproachable. If you want employees to use your policies the way policies should be used—particularly for cybersecurity matters— there are better ways to approach it than my experience at that company.
First, let’s boil down why you’re creating policies: policies help ensure that your team does the same process the same way, in an efficient and secure manner. In terms of cybersecurity, this could mean forming complex passwords or not taking vital documents home. Policies are also needed as requirements to meet a variety of compliance standards, regardless of your industry.
Now, ask yourself this question: Are you going to read two hundred pages of policies? Unless that’s your jam, the answer is probably not. That’s why my Big Book of Policies became my Big Shelf Holder of Policies.
Before I finally divulge how to approach cybersecurity policies, let’s take one more trip down memory lane, going back to my employment at a pharmaceutical company. It’s important to note that pharmaceutical companies are heavily regulated, and their policies must be followed very closely—an example of those compliance standards I mentioned.
As a young network administrator, I was responsible for the life of the network, ensuring that everything worked and was protected. One of my roles included the backup of all important data. The company had a policy for how to perform backups, so, being the good employee that I was, I went and asked for the policy. My manager told me, in all seriousness, “I can’t give you that policy because, per the policy, you have to be director-level or above to see the backup policy.”
I was stunned into silence. How was I supposed to follow a policy that I was not permitted to see? In the end, I created and implemented my own backup process using industry standards and off-site backups, but to this day, I have no idea if it met the requirements of the company policy. I share this example because it’s vital for you to realize that if you don’t give employees clear and easy policies to follow (and access to them), then they’ll make up their own policies and processes, and while it worked out in my case, it very easily could end up in disaster. So, what’s the magic formula for cybersecurity policies? Here are some tips to remember when creating a policy:
1. KISS: Keep it Simple, Stupid. Basically, create policies that are clear and concise.
2. Clearly define the audience that needs to follow the policies.
3. Include the name of the person or committee that wrote the policy.
4. Keep a log of policy changes and dates with the policy.
5. Review the policy each year.
6. Ensure proper training and access to the policies.
Policies can be a great way to support corporate culture and protect you if something goes wrong, so it’s vital that they’re accessible and easy to follow. Your cybersecurity and employees will thank you.
Author profile:
Ken Fanger, MBA has 30 years of industry experience in the fields of technology and cyber security, and is a sought-after CMMC Registered Professional, helping manufacturers and contractors to meet DoD requirements for CMMC compliance. He is passionate about technology deployment, and his MBA in Operations & Logistics has helped him to be an asset in the designing and deployment of networks to enhance the manufacturing experience. Over the past 5 years, he has focused on compliance and security, including working on the SCADA control system for the Cleveland Power Grid. Mr. Fanger works with each client to identify their unique needs, and develops a customized approach to meeting those needs in the most efficient and cost-effective ways, ensuring client success. n
MAY 2023