Acceptable Behavior

IT may be a gatekeeper, but it is not the arbiter of all things ethical. Again, that's HR's job, even if an IT director or security officer authored an "acceptable use" policy under the umbrella of IT policy. IT frequently falls down the rabbit-hole of trying to define ethical behavior for an organization in the context of its computer systems and resources.

By confusing this topic, loopholes are created where people may claim that only specific behaviors were proscribed, or that there wasn't any clear connection between misuse of technology and an actual ethical violation for which one might be terminated. Confusion creates uncertainty, and uncertainty lets misbehaving people through the cracks -- even when the violations are pretty egregious.

It's important to work with HR to understand the ethics standards for the organization, and to make sure that they account for the things that might take place. For example, a non-IT ethics policy might focus on job performance and gender sensitivity, but ignore the resources and common behaviors permitted by the presence of information technology.

By reviewing the policies together, HR may decide to add specific topics about handling sensitive information or behaviors while connected to company resources. With a little attention, it may be possible to lean on the HR ethics policy heavily so that an Acceptable Use Policy can focus on real use and potential pitfalls -- instead of trying to re-state the ethical justification behind the policy.

Training vs awareness

There aren't enough hours in the day for most IT security staffers, so I often wonder why they spend any of them putting on their own information-security training sessions for the general office population. Not only is it wasteful to put on single-purpose training sessions of that sort, but those most likely to attend voluntarily are not those who most need to be reached.

Whether selling items on eBay or running a business from one's desk, the behaviors, prohibitions, policies, and training ought to be the same regardless of mode. Trading ID badges and database accounts? Leaving keys in the door or writing a laptop's password on the cover with a marker? Calling a manager when something is seriously amiss in a system or paper files are found unlocked and rifled-through? Technology is not the issue.

Like most other controls in information security, the most effective ones are indistinguishable from properly performed business processes, so there's little good reason not to combine security training with periodic HR training on organizational policies. As a first step, IT security trainers should pick up the HR training list or catalog and see where the information can be combined in existing courses.

"Awareness," on the other hand, is typically used to mean ongoing reminders about right actions and proper behavior -- distinct from classes or instructional sessions that constitute formal training. A security awareness program is a good vehicle for ensuring that good behaviors are maintained, through messages, posters, periodic campaigns or other ways of getting short messages out. However, it's often not verifiable, so it's a poor tool for communicating important changes or events.

Don't re-invent the wheel. If HR has a program of regular reminders about business policies, communications updates, or other messages that are not tied to a specific event, it may be efficient and effective to piggy-back on those as well. Otherwise, security staff should conduct their own awareness campaigns more often than not.