How to Make Users Aware of Security Policies

Now that you have a reasonable set of policies, how do we make users aware of them? Obviously, policies are useless if the users affected by them do not know they exist. However, before we even get to that question, we need to address a different question: are the policies tractable to users? Policies that are too abstract are useless. If users cannot understand the policies, they cannot follow them. Likewise, policies that are too specific are not useful. Policies must be meaningful, actionable , and relevant. During the development of policies, you probably should do some user acceptance testing to ensure that the policies are meaningful to users. It is also worthwhile pointing out that policies must be simple enough to understand and remember for users. If you make the policies too complex, nobody will read and remember them. The general user population probably should not have to read more than about five policies, and each of those policies should probably have no more than five to seven important points to them. If you design the policies keeping those limits in mind, you are much more likely to get a set of policies that people actually can follow.

Needless to say, the policies have to be accessible to users. Many organizations post them on an internal Web site. One particularly interesting approach is to make the polices innocuous where they are used. For example, using Group Policy, you can put a button that links to the e-mail policy on an Outlook toolbar. You can put a link to the AUP on the Start menu. You can put a link to the password policy in the same place. Of course, you should also ensure that all new employees are familiar with the policy and that they sign a statement during new employee orientation. You may even want to consider giving them copies of selected policies upon notification of a job offer. We have seen company security policies that would make us think twice about working for that organization, so it is interesting information to have when deciding whether to take the job.

The key point here is that you need to ensure that people have read the policies. You will not be able to enforce the policies unless you can prove that people have read them. We have more to say about user education in Chapter 5, "Educating Those Pesky Users."

Do We Need to Modify Policies for Particular Users?

A question that sometimes comes up is whether there should be exceptions to policies. For example, we perform many demonstrations where we use what some would consider "hacking tools." In fact, when we do penetration tests, which is rare these days, we need these tools to do the job. Unfortunately, most virus scanners consider these tools bad and remove them from our computers. This makes it very hard for us to run virus scanners on our systems, and we therefore have a general exception to the antivirus policy. It is not a bad idea to have a section of each policy that deals with exceptions and enumerates what additional protective measures need to be taken if one is granted.

Another really obvious policy exception group is executives. Unfortunately, far too often they consider themselves above policies, but it is an important issue to deal with. Should executives have the ability to do things that ordinary employees cannot?