The first step to employee computer policy compliance is that the policies must be enforced. And they should be enforced consistently and fairly across all levels of an organization. If policies are not enforced, they will be ignored, which is the equivalent of not having a policy in the first place. There are several steps to enforcement. The first step is that employees (or anyone that may use a computer within an organization) must know and understand the policy, and must acknowledge that they have read and understood it. This is often accomplished by having the employee sign a copy of the policy to show they have read it, understood it and will comply with it. The second step of the enforcement process is to place a signed copy of the policy into the employees personnel file. Now it becomes important to document all instances of non-compliance with the policy. This documentation should then be used during the annual review process as one of the criteria for awarding raises, bonuses or promotions.
Here is an example of an enforcement scenario from my book, Hardening Network Security :
* First offense – Verbal warning, with documentation added to the employee's personnel folder.
* Second offense – Written warning, with documentation added to the employee's personnel folder. Written warnings in a personnel folder will cause a reduction of any bonuses or raises for one year after the infraction.
* Third offense – Employee is placed on probation for a specified period. If the employee violates any company policy while on probation, they are terminated immediately. No raises or bonuses for one year after the infraction.
* Fourth offense – Immediate termination.
Some individuals reading this example might consider it harsh, and could create an unpleasant work environment. And if presented to employees in the wrong manner, it certainly could be considered harsh.
When seeking to gain compliance with any policy, employees should be told the reasoning and logic behind the policy. Violation of computer acceptable use policies can cause an organization lost productivity as systems are slowed or stopped due to virus or Trojan outbreaks. Lost productivity means lost revenue and added expense, as the IT department has to take time to remove the “infestation.” Proprietary data could be lost due to theft by hackers or unintentional distribution to a competitor. Once again, this could mean lost revenue as a competitor gains an unfair market advantage due to their new knowledge. Lost revenue means that there could be less money available for raises or bonuses. If you tell users that non-compliance directly impacts their wallets, they will be more likely to comply. They will also be more likely to report the non-compliance of other employees.
One of the aspects of enforcement that is often overlooked, is the concept of “positive reinforcement.” This means that employees that consistently comply with policies, rules and guidelines should be rewarded to reinforce this positive behavior. This can be as simple as a gift certificate or it can include a higher-than-normal raise or bonus during the annual evaluation process.
Layering for Compliance
As with other security implementations, there needs to be more “layers” to gain compliance with policies. Users often do not comply with policies because they may not like or respect the IT staff that has drafted it. Unfortunately, the IT industry does not have a good reputation. IT professionals are often seen as arrogant, poor communicators and a little odd. Whether this is true or not, in this case, perception is reality. IT professionals should take steps to change their image. If IT professionals work on developing a more professional image, it can be easier to gain employee support for new policies.
Another layer to add is to remove as many temptations as possible. Filtering mechanisms can be implemented to prevent employees from going to inappropriate or non-work related Web sites. Blocking access to racial hate sites, gambling sites, peer-to-peer networking sites, social networking sites, pornographic sites, etc. can reduce the risk of virus, Trojan and rootkit installation, and can remove the possibility of an HR-related claim should someone see offensive material appear on co-worker's computer. However, it is important to recognize that filtering is not enough. Filters that rely on lists of inappropriate sites will never be complete. New sites are created on a daily basis, and no one can keep up with them all.
Because of the constantly changing environment, it is important to include annual training for computer users. Many organizations provide training during the orientation process for new hires and consider that enough; however, new hires are usually inundated with information during the orientation process and are not likely to remember all of the details of a computer policy.