The Pyramid of Compliance.

Most business initiatives need employee “buy in” to work and compliance is no exception. Automated systems can impose a degree of uniformity in enforcing initiatives, but where the rubber meets the road will always be where your workforce interacts with your systems. An employee that embraces your policies and procedures can be your best protection from threats like email borne malware, as well as assurance that your organization is complying with industry and regulatory mandates.

How do you focus your people on compliance? Here are five suggestions from Ernie Hardin, founder and owner of 443 Consulting, an information security and business continuity consultancy in North Bend, Wash.

1. Get’em at the Door

Probably the easiest worker to obtain buy-in from is the new hire. He or she is a clean slate without some of the baggage of existing workers. New hires are also eager to please their new employer so they’re more willing to accept your compliance rules.

What should be included in a new hire’s introduction to compliance? A message from your company’s CEO emphasizing the employee’s role in the security of the firm can be very valuable in attaching importance to compliance. Of course the nuts and bolts of external rules and regulations that your business has to comply with–HIPAA for medical facilities, for example, or Sarbanes-Oxley for publicly traded companies–need to be explained, as well as your firm’s appropriate use policy relating to email and Internet usage.

2. Get ‘em Where They Eat

“Brown Bag” training sessions can be a useful approach to getting current employees onboard with your compliance program. The key to making these successful, though, is to bait them with something that appeals to the worker’s self interest. Free lunches are hard to resist, but tailoring your message is important, too. For example, Hardin point out that a session could be structured around computer security at home–a topic  of some importance to most of your workers. Since good security practices at home would overlap good security practices at the office, the session would be killing two birds with one stone.

“Fortunately, this training also reinforces good security habits, which, in turn, employees tend to bring back to the work environment,” Hardin writes.

Continue reading Five ways to focus your workers on compliance

President Obama’s new cyberspace strategy announced this week is a far-reaching document, the effects of which have yet to be sorted out. Needless to say though, such a strategy is inevitable on the Federal level and absolutely necessary—we just still need to see where this is taking us.

There are the inevitable concerns over privacy, and paranoia about whether government is going to control our email and our Facebook pages. But, as any good security admin knows, a bit of paranoia goes a long way, and actually makes up about 40 percent of any security policy. And this is as it should be.

In the Cyberspace Policy document itself, there’s an odd bit that’s a little ill-defined, and could conceivably go anywhere. Specifically, it states as a goal to “build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation.” That privacy and civil liberties have been mentioned in this passage is encouraging, but what are they talking about when they refer to an “identity management vision?” One of the slightly more paranoid points of view here speculates that it means the creation of a government system to track everybody’s identities online. Again, paranoia is good, and without it, we would have no security at all, but this may be a bit of a stretch. Still, it’s on everybody’s mind from the get-go. An article on Silicon.com quoted the President saying, “Our pursuit of cyber security will not include monitoring private sector networks or internet traffic.”

Any so-called “identity management vision and strategy” may well involve the creation of yet another compliance issue which could be immense, convoluted, and expensive to comply with, but at this point all we can do is wait it out and see what the President has in mind for this.