This post is the ninth in a series of what I consider the top ten topics for any security awareness program. Selecting the right topics with greatest value for your organization is key to a successful program. This series is not designed to tell you what your awareness program must have, instead these posts are designed to give you recommendations, a place to start. For the ninth topic we change focus from protecting from the bad guys to protecting from ourselves. Unfortunately in some rare cases employees can be our own worst enemy. Some key points.
Monitoring: By monitoring, I mean reminding your employees that your organization actively monitors network and system activity, something I see many awareness programs leave out. As we know most organizations monitor their networks so you can identify and respond to an incident. But as a result of this your employees need to understand that their activities are most likely monitored also, they should have a limited expectation of privacy (how much depends on your organization requirements, local laws, etc). This is important for several reasons. First, by making this known ahead of time it is much simpler for your incident response team to respond to incidents. They do not have to fight for permission to access system logs or network activity, that expectation is set ahead of time. In addition, if end users know and accept that their activity may be monitored, you have deterrence. For example, by posting every month the top ten sites employees are visiting, you not only demonstrate how potentially time is wasted, but it is a reminder that their activity is monitored and will help deter potential insider activity or fraud.
Acceptable Use: These are the policies that define what can and cannot be done. Usually these are common sense rules such as end users may not hack other systems, may not bypass security controls, may not monitor other employees, or may not send sexually explicit emails to other employees. However, if you are going to punish violators then employees have to know first the rules. The last thing you want is an end user to hack other systems internally, then get away with it because they were never told not to.