In the third of our posts about a robust security policy from a Virtual Data Room provider's perspective, let’s take a look at how you actually implement the policy. As in other posts in these series, we are sharing with you some of the learning/policies, that we have implemented in EthosData to manage our Dataroom business.
The hardest part of the process is often rolling it out to your organization and getting employees’ buy-in and commitment to comply with it. The best intentioned projects can fall flat when it comes to the implementation phases, so you need to plan this step carefully to ensure its success.
Adopting the Policy
Have your senior management team approve and sign off the Security policy in the same way that your company makes other major decisions. This might not be practical in a small business that doesn’t have such a team. In this case, the owner, finance manager or someone else with the authority to make executive decisions needs to own and be accountable for the security policy.
Enforce the adoption of the security policy as part of official company policy. Go through it step by step and consider how each aspect will be applied in the business. Make sure your employees have the tools they need to be able to operate in accordance with it, and create contingency plans for any directives in the policy that aren’t practical or possible.
Supporting the Policy
One you have a security policy in place, you’ll need to create secondary policies and procedures to support it. For example:
- What procedures should your employees follow if they suspect that security has been compromised?
- How will you notify users if you discover they aren’t complying with certain directives in the policy?
- Policies are seldom applicable 100% of the time, and exceptions will need to be granted based on rationale and the business need to do so. What process will staff be required to follow to request an exemption to the policy directives, and how will these requests be approved?
- How do you intend to log and record exceptions, and what are the circumstances and the requirements for approving them?
By working with the various departments or responsible people within your company such as your IT team, legal counsel and marketing personnel you can establish operating procedures that comply with the policy requirements as well as ensuring that the needs of other users are fully met.
An essential part of implementing your security policy is to train your users in areas such as social engineering risks. Often, users create security issues unnecessarily because they don’t understand the risk associated with certain of their actions. For example, dumping hard copies in garbage pins opens the company to the risk of industrial espionage by anyone prepared to go dumpster diving for information. Make sure your staff know how to recognize and prevent ‘shoulder surfing’ and password sharing with others, as well as how to double-check on requests from authorized users who may be impersonated by someone else.
It’s important to make it clear from the outset that the policy comprises an official company standard, that exceptions are only granted in certain circumstances and failure to comply will result in strict disciplinary measures.