The CISO approach: Security Policy - Human Factors

Security as a Mission

Respecting the organisation’s security policy is an essential condition for the continuity of activities. Each person must be aware of it, implement it, and understand that if they do not comply with it they will risk sanctions (potentially legal).

Each member of the ‘organisation’ must read and sign the ‘security compliance agreement for members of the organisation’ provided in the annexe. Newcomers will read it and sign it upon taking up the employment, while ‘existing employees’ sign it when the policy comes into effect, under the responsibility of the staff manager.

Training and Information

Everyone should be aware of both the risks and the security measures and procedures to be implemented. In this respect, all managers must ensure that the persons under their responsibility are aware of the security policy.

Additionally, any person with technological responsibilities must ensure that they are proficient in the security aspects and, if necessary, have provided training and information to their colleagues.

Applying Security Measures for:

• computers connected to the Internet
• laptop computers

See Also:

• Protecting your business – Training your employees
• Awareness and training
• Human errors

Human Resources Management

Before Recruitment

The security policy aims to ensure that all agents are aware of their responsibilities and they are chosen because of their suitability for the responsibilities allocated to them. This principle avoids the risk of error or incorrect use of the organisation’s property.

To this effect, the organisation must ensure that it mentions security-related responsibilities in job descriptions. The candidates, especially for sensitive posts, are chosen to consider this element. The chosen candidates are asked to sign an agreement on their security-related roles and responsibilities.

During the Employment Contract

The aim of the security policy is to ensure each agent is aware of:

• the usefulness of knowing and understanding the security policy,
• the threats that are most likely to affect the security of their activity,
• the worst-case scenarios,
• their responsibility in terms of security, and
• the necessity of contributing to risk reduction, particularly in relation to human errors.

The security policy encourages each agent to receive the appropriate training and qualifications. In particular, users must:

• know and understand the security policy
• know and respect the instructions and security measures
• actively contribute to improve security
• inform the members of the security committee of any shortcomings or security incidents.

The provisions of the disciplinary procedure on the general employee status are applicable in the event of a violation of the security policy rules.

Responsibility at the End of the Contract

It is also the purpose of the security policy to ensure that the actors who are leaving the organisation or changing post follow a formal procedure. In particular, the actors must return all of the organisation’s equipment, their access must be withdrawn and they must be made aware of their responsibilities that remain applicable after their employment contract has ended, e.g. the obligation to respect confidentiality.

Response to Incidents and Malfunctions

Each member of the “organisation” must report the following observations to their direct manager, to the IT manager, or the management board:

• the weakness (vulnerability) of a tool, a procedure or any other element of the “organisation”,
• any security incident noted using a surveillance tool or by any other means.

Reported incidents and vulnerabilities are dealt with and resolved by the manager responsible for the element concerned. Their initiator and other members of the company are informed of the solutions implemented so that everyone remains vigilant.