Does your CFO know how to wire in a new Ethernet jack in a meeting room? Can your net tech read a P&L? If you are in an organization like 99% of those in the world, the answer to both questions is probably, “No”.
Just as your employees have different responsibilities with respect to the organization’s mission, they also have different responsibilities with respect to the organization’s cyber security. Even more specifically, each group probably needs to know its cybersecurity role and not those of others. (We’ll discuss that more in a bit). For example, why should the Chairman know how to make backups of servers?
It is critical for every employee to know his or her role in the cyber defense of the organization. Sure, everyone needs to know the organization’s password policy, when doors are to be locked, how to secure mobile devices, and so forth, but each role likely has some specific cyber security tasks, too.
And those responsibilities are confidential to the role. If for example, everyone knew the times’ certain types of audits, one could “adjust” audited software or hardware to comply, and then return it to its prior state after the audit (yes, I’ve seen it done!).
First, at your periodic policy review, you also need to review who has access to each policy/section. That is done by role, so it is not a case of looking at each employee’s access!
Next, you’ll need to compile the sections for each role so employees can review them in their security refreshers and sign them in their annual HR policy-signing session.
There is more to do and we describe some of the tasks in Learning Tree’s System and Network Security Introduction.
October (this month) is National Cyber Security Awareness Month (NCSAM) the 13th one, in fact. This is a good time to begin the analysis of who needs to know what when it comes to policy. It is also the time many organizations choose for policy reviews.
Your assignment for the week – if you have not already done so – is to consider the cyber security responsibilities of the different roles in your organization. This may be difficult if you don’t know all the roles or responsibilities, but the sooner you begin this process, the easier it will be when you do it “for real”.
To your safe computing,