Time to Test your Policy Management’s Effectiveness

How many of your employees leave scribbled passwords on post-it notes under their keyboards on their desks or taped to the bottom of a drawer? Or, they have confidential information on their laptops, which they take home to work on?

 

Employees don’t mean to jeopardize the organization’s information security — they’re loyal to the company and dedicated to their jobs, but when they’re focused on the tasks at hand, they often don’t think about cybersecurity threats, risks and potential vulnerable areas.

 

Their seemingly simple actions listed above leave the door wide open for potential data breaches. We previously explained how the first step in preventing data breaches is creating policies, and detailed a few questions your organization should consider when creating IT security policies.

 

So what’s the next step? Employees need to be made aware of security policies AND reminded regularly of them. They need to review and acknowledge that they’ve read and understood policies — and you need a way to capture their signature and/or acknowledgement. A policy management system can help manage this process, but how do you know if your system is effective?

 

• Your system should send automated alerts when a new policy has been released or a previous policy has been updated. Automated policy management software, such as the one from ConvergePoint, can track open rates so you can quickly see who has opened the policy and who hasn’t.
• The policy management system should not only track that employees have opened the document, but also ensure employees have read and understood the policy. Employees can be required to sign off on the policy (with a timestamp acknowledgement) or take and pass a quiz on the policy.
• Escalation alerts and reminder emails should be automatically sent to employees who are fast approaching the deadline for reading and acknowledging a policy to ensure compliance.
• For those employees who are quick to respond, an effective policy management system will encourage them to provide suggestions and feedback on policies. Comments and questions should be welcome — it shows your employees care, and sparks a culture of communication and employee participation.
• When data security is not at the forefront of discussions, it often becomes forgotten. Send recurring reminders on a quarterly or annual basis, asking employees to re-read and re-acknowledge policies.
• After training on a policy, look for an uptick in potential violations or cases associated with the policy. When it’s fresh on people’s minds, they’re more likely to report things they notice.
• An effective policy management system is one that is accessed regularly. When employees have questions or need to reference a particular policy, they should be able to quickly search for and find the information they need. Does your system organize policies in a way that makes sense, and offer robust search functionality? Or, do employees not bother to look up information when they have questions because it would take them hours to dig through share drives and folders?
• Your policy management system should also allow you to get bird’s eye view on the status of employees’ progress, as well as produce ad hoc reports. That way, you can spot potential issues and take a proactive approach to addressing them.

What’s the third step in protecting your organization by ensuring employees are properly trained on policies and procedures? Take a look at our How-to Guide: