Business Development | Exercise Evaluation
Best Practices for Policy Review (And Why Policy Review is Important to Security)
A few years ago, one of our clients experienced a security incident. An employee took a photo at work and posted it online, revealing intellectual property on the open internet. Dire as that sounds, the damage was unintentional — a group of employees at a social event took a selfie that happened to capture a project they were working on in the background.
In this case, the incident was resolved quickly and without incident. Someone at the company saw the photo and took it off social media. No one in the photo got in trouble. They hadn’t meant to post proprietary information and, as it turned out, even if they had acted maliciously, they didn’t violate company policy: the organization’s communication policy was so old it didn’t cover smartphones, social media, or selfies at work.
That’s a common problem when policies aren’t reviewed regularly — technology changes before the policy is updated.
Ask the expert: How can my company prepare for an active shooter?
Keeping your policies updated
A company’s policies can cover anything: from employee travel to background checks to emergency plans and procedures. When policies are put in place, they’re usually written, reviewed, and approved by a committee, but unless a review process is put in place, those policies can be forgotten and fall out of use, or they may not keep up with the times — a communications policy may only cover landlines rather than mobile devices, for example. If you’re not keeping your policies updated, you’re not being proactive. Below are some best practices for keeping your policies and procedures up to date.- Review every policy annually. Make a list of all company policies and create a monthly schedule. Every month, review a handful of policies. That way all your policies are reviewed annually, but you’re not trying to review every policy at once.
- Be sure that each policy is clearly stamped with a creation date and revision dates. This will help you keep track of changes.
- Don’t simply focus on compliance. Compliance focused companies tend to be reactive. You want to review every policy you have and also examine any area that might require new policies, like a social media policy. Policy review can help your organization to be proactive.
- Make sure your employees can find your policies. Policies should be accessible to everyone in your organization. Make sure everyone in your company knows how to find yours, and knows if major changes have been made to a policy.
- Test your employees on competency. Sometimes it’s not enough to have a policy. Sometimes it’s important to make sure that your employees know the policy by testing them. This is particularly vital if you’re testing employees on compliance issues, or on a security issue, like cyber hygiene. Choose a training that’s engaging, aligns with your policies, and is administered often, rather than once in a long while.