Most organizations have policies. Most medium-to-large sized organizations have security policies. I hope that yours does! Policies are a cornerstone to a security program. People need to know what to do and policy is that high-level guidance.
Of course, people need to read those policies!
Many organizations will have staff sign a form that states they have read and understood the policies. Sometimes this happens just once. Sometimes it's annually, perhaps at the same time as an annual performance review. Sometimes it's when a person joins the organization, or shortly thereafter.
But does that work? What is the goal? I say that doesn't work! No one has ever "read and understood"!
Policies can be long and complicated (I'll address that problem in a future post). At the very least, they tend to use very formal language. And that's by design.
But whether an organization goes for a single long "policy" or a series of items comprising the body of policy, there will likely be a lot of material in there. Not everything applies to every individual. Some policies may be complex and/or technical. Some are "role based", meaning they apply to people in, or acting in, a particular role such as: supervisor, systems administrator, developer, etc. Some are location-based meaning the apply to staff when they are working in an alternate location such as branch offices or remote access.
The bottom line is that with this volume and variety of material, the average staff person will not, and should not, read it all. And even if they did, it's not likely that they will understand it all.
So, if we make staff sign a form on which they state they have "read and understood" policy, then we are likely forcing them to lie... and to attest to that lie! And that is not how we want to create what is possibly a person's first encounter with your security program.
But many organizations do have a regulatory requirement to assure that staff are aware of policies... What to do?
Here's my solution. Have staff sign off that they acknowledge their responsibility to assure they are familiar with organization policy and relevant statutes and regulations! Of course, along with that statement you should supply all the appropriate links to make it easy for staff to find those resources. It's as simple as that. With that, you have put the responsibility where it belongs... with staff. Staff are aware of what they need to know.
Do you like this idea? How do you assure staff are aware of policy? Do you ask staff to attest that they have "read and understood"?... and if so, how does that work out?