Information Technology Reference
In-Depth Information
n
−
−
n
−
n
Virus detection
Installation
Signature file updates
Enforcement
Clearly state the consequences of inappropriate behavior.
Enforcement stages: Manager meeting, manager meeting with HR represen-
tative, letter of reprimand, suspension with/without pay, and termination
8.6.1.6 Policy Enforcement
How strict can the organization be? How strict does it want to be? Too strict a policy
will push people to circumvent safeguards. Accessing inappropriate Web sites may
be purely accidental. Creating a situation where the employee must justify activity
may be embarrassing all around. A suggested method is to promote self-policing.
Publish the most frequently visited Internet sites on the corporate policy intranet
site. When the top ten sites fall into categories of sports, finance, travel, and online
auctions, most employees will get the message that management is aware of what's
going on. If this gentle nudge toward appropriate use does not work, the elbow-in-
the-ribs method still remains an option.
8.6.2
Using Social Psychology to Enforce Policies
The Enterprise Context Framework (ECF) presents a business process hierarchy
that includes
workflow,
,
process
, and
tasks
. Task types include kinetic (manual) tasks,
automated (service) tasks, and cognitive tasks. Cognition (mental processes) segues
into psychology. Psychology includes individual psychology, organizational psy-
chology, group dynamics, and relationships. The point is that psychology plays a
role within any organization. The intent of using psychology is not to be manipula-
tive; rather, the intent is to be more effective. To that end and intent, the psychol-
ogy of persuasion increases the effectiveness of awareness and training programs,
especially when disseminating policy and attempting to instill awareness, under-
standing, and compliance.
he IA
2
Framework provides an IA
2
people view. The IA
2
Process addresses the
existence and adequacy of policy dissemination programs as a potential business
risk. Many policy dissemination and security awareness programs attempt to be
a one-size-fits-all. Given that a one-size-fits-all solution rarely fits any particular
situation well, various tailored approaches will increase effectiveness. Architecting
a framework for driving behavior toward IA policy awareness, understanding, and
compliance is organizational specific. For example, passive IA policy dissemina-
tion (e.g., posting policy on an intranet Web site) may be appropriate in some
cases, but active IA policy dissemination (e.g., live training) may be more appro-
priate in others.
