Neksus wrote:
Hello,
I am currently working on rewriting / re-working security policies and
there are a *lot* of policies. I'm thinking it's probably not a good
idea to have users sign them all (especialy if they don't apply to
them). What I would like to do is structure them in an easy to
organize/update scheme.
I have a couple of strategies in mind and would appreciate some input.
It looks to me that you're off on the right track
initially.
My personal preference:
1. In internal website for the company is imperative
in the first place, and all policies should be well
indexed on that site.
Configure all employees to get notifications of changes
to the pages that are relevant to them.
Upon hiring (or implementation of the process) have
all employees sign off on a blanket policy document
that puts the responsibility of reading and adhering
to future published docs.
Automate administration of the system by having
the logs of the webserver check off employees
that have viewed the docs and email those that
haven't.
With very little programming, you can build a great
site that tracks all you need to know.
2. A wiki is one of the greatest personnel tools
a company can use. Put one together and organize
it by topics of interest, not necessarily by job.
Don't over police it - let employees feel free to open
their minds and hearts, get them involved.
Over time, you will find that every project will improve
and people feel more like they belong.
3. Most important:
Lastly, be the first company in the world that makes
EVERYONE from the janitor to the president adhere
to company policies. :)
My $.50 worth (inflation)
And... good luck!
--
Excellence in InfoSec and Linux
http://www.altsec.info
