Policy and Handbooks

(OBJ 5.6)

Policies and Handbooks

• Policy
  • A system of principles and rules guiding decisions, ensuring compliance with legal and ethical standards
  • "Covers specific topics"
    • Policy on data protection, one for remote work, another acceptable use of technology, and yet another for conflicts of interest and things like that
• Handbook
  • A comprehensive guide providing detailed information on procedures, guidelines, and best practices for individuals
  • "Covers broader areas"
    • Might be created for employees, another one for training, another one for compliance, and things like that
• Policies and handbooks are living guidelines that shape behavior and decision-making in organizations
• These documents vary between organizations based on industry, needs, and use cases
• Importance of not just reading but understanding the policies and handbooks is crucial

Scope of Policies and Handbooks

• Cover various aspects in an organization, e.g., data protection, remote work, technology use, conflicts of interest
• Different handbooks for different aspects, e.g., Employee Handbook, Training Handbook, Compliance Handbook

Data Destruction Policy Example

• Some policies may define rules for data disposal, e.g., shredding
  • Provides clear guidelines on the proper disposal method for sensitive data printouts
• Color-coded paper for document classification
• Shredding of sensitive documents to prevent data breaches

Remote Work and Data Protection

• Organizations may have strict guidelines regarding remote work
• Policies cover physical files and digital files that leave the office
• Restrictions on what can be taken home or worked on remotely
• It is about securing sensitive information, considering a home office's potential lack of security
• Example:
  • Not allowing employees to have smartphones or personal digital assistants inside of the building.
  • Not allowing employees to take their work laptops home

Policy Guidance for Daily Responsibilities

• Provide guidance on handling various situations, e.g., data breaches, reporting suspicious activity
• Ensures employees know how to respond to specific scenarios
• Example:
  • If you receive a suspicious email, refer to the employee handbook for email threat guidance

Policy and Handbook Updates

• Policies and handbooks should be reviewed at least annually
• Updates to reflect changing cybersecurity landscape
  • Policies and handbooks must adapt to evolving cybersecurity
• Employee awareness of policy updates and significant changes is crucial
• Highlight significant changes in a one-page summary

Human Judgment and Culture of Security

• Policies and handbooks may not cover every scenario
  • Policies and handbooks are not foolproof, so it is vital to train employees to understand them to make necessary judgement calls
• Employees should understand the "why" behind the policies to make judgment calls
• Creating a culture of security involves reporting gaps and fostering a secure environment
  • Policies and handbooks foster security culture by encouraging to report concerns to management

Importance of Employee Involvement

• Encourage employees to bring up concerns and questions
• Open communication with management and leadership teams
• Collective responsibility in promoting a secure organization culture