Our obligations to our staff and security continue throughout the time the employee works for the organization. From making sure the management are aware of their security focused responsibilities, making sure security-awareness programs happen in your organization and ensuring there is a fair, understood disciplinary process is in place to address security breaches.

7.2.1. Management responsibilities.

This control requires we make sure management enforces the information security requirements. Good security practices cannot be put in place and abided by without managerial support. For example, having great, comprehensive password protection policies is no good if a manager allows, or even encourages staff to share login credentials before they go on annual leave so they can cover for each other. Managers must be specifically instructed to apply information security standards as per the organizations policies and procedures, including providing training where required.

7.2.2. Information security awareness, education and training

It is often said that the biggest risk to security comes from staff and users of IT systems. The best defence we have against this weak link is training. Studies have shown that the more educated a user is, the less likely they are to be the cause of security incidents. This is due to increased knowledge but also increased awareness of the risks the staff member’s organization faces. From this it quickly becomes apparent that one of the best ways to protect your organization is to put into place an initiative for continuous security awareness training, and more general information security training, for all staff. This will ensure that staff understand their responsibilities, types of attacks that may target them and the different threat vectors. It can also instil certain best practices into staff, such as not holding the door open to unidentified people, not giving out information over the phone, to be more scrupulous when deciding if an email is a phishing attack and even to discourage staff from discussing sensitive matters with colleagues in public places. Part of this training should include familiarising staff with policies and other security documents.

7.2.3. Disciplinary process.

It is inevitable that, despite our best efforts, there may be times when it becomes necessary to discipline staff. Having a defined disciplinary process that is enforced ensures both uniformity and fairness. This is an essential practice for modern organizations. This flows into ensuring security policies and procedures are followed and disciplining staff for deviations. If there is a verifiable security breach and the cause is found to be a staff member not following best practices security breach the disciplinary process should begin and it should allow for different degrees of result depending on the severity of wrongdoing by the staff. On top of this, employees should be made aware of this process.

Different countries have different laws and requirements around staff discipline and this process should be handled by qualified HR staff.