I like that your policy added a training and policy review section. The training section was great because not only did it mandate training in writing, but it stated who would receive the training and more critically when they would receive the training. The addition of a training certificate at the completion of training to be retained by the business is a good idea too. I might suggest that the training might be annual/semi-annual for all employees to continue to facilitate policy awareness throughout the employees’ employment with A3N. The section requiring policy review within a specific period is great because at a minimum your policy ensures that it will be reviewed every 24 months, and more importantly whenever a data breach occurs to ensure the policy’s scope is valid.
I think the way you did your presentation was good too. Adding in short “scenarios” applicable to specific sections of the policy helps visualize those portions for employees and can help imprint those images into the mind to draw on later if those scenarios pop up for those employees. The flow in your video was seamless and well done too.
Thanks so much for the feedback. That’s a great point about specifying when retraining should occur. It could even be tied into that “event of a data breach, policy will be reviewed and retraining on the policy is required”
The video was surely a challenge. We did think about, what points we wanted to highlight to help drive the behavior we would want from employees.
I agree that the training was a great addition as well as the outcomes if the policy wasn’t adhered too. The addition of training and outcomes of non-compliance with the policy makes expectations for A3N and applicable users were clear including monitoring. There are no surprises.
Sean – your recommendation for a training certificate is a good idea and provides an artifact for memorializing that training happened.
An additional recommendation is for a point of contact for the policy in the event that someone has a question or needs to report an incident.
I will probably read more about using color coded RMDs because I haven’t seen that type of policy before.
Great call out. As I was reading your respective groups’ policies, I realized it was an obvious omission. This would clearly be an opportunity to identify the appropriate responsible/accountable person or group that manages the policy.
Team 1,
Great job on the acceptable memory usage policy. Especially when working with the DoD, adherence to security standards such as the NIST SP 800-171 is crucial for the business. As a suggestion, I believe that adding a portion that talks about the what type of data could be or not be stored with RMD would be beneficial to the employees. Such things as data classification pertaining to DoD or commercial use, should be segregated and treated differently. Overall, your policy covers the major areas pertaining to this topic. Thank you very much for the knowledge
Good feedback! – Thanks for your suggestion on clarifying the types of data that can and cannot be stored on an A3N approved RMD. I agree specifying such information will be beneficial to new/existing employees. However, under the acceptable use section of the policy and through the video, we tried to communicate the message that A3N employees are allowed to store only “sensitive” official/company related data on A3N approved RMDs (i.e cannot be used for storing all other non-company related data), period.
Under 6.3 Exceptions, in what case would an exception be made? I would think that if you’re a government contracting firm that the exceptions are rare. Also who on the InfoSec team can determine the exception? I thought the policy was very informational and clear, I especially like the real world examples in the video.
I like the “demo” which give some examples to explain what employees should not do. Using “demo” can give employees a directly visual information to help them understand the policy. All of situation is simple but employees will do them without realizing it. When they watch these demo, it will help them review their action. Then, it is helpful that you support a way for the employees, which they can ask questions about this policy. This is valuable for improving policy in the future. However, maybe you can just show some important points in the slides to help employees to get the point instead of write down all of thing in it.
In the document, I like the part which tell people what should they do when they actually make mistakes. Nobody can follow this policy at the beginning or forever without any mistakes. Telling them what should they do and what kind of responsibility that they should take are effective ways to reduce the influence of risk. Then, it is good that you also make a rule for reviewing this policy, which can make rules more suitable for the company. However, I have a question what kind of information are be considered to sensitive information?
I agree with my teammates Xiodi and Joe in that the video was extremely informative. Team 1 did a great job of using the video as a way to give examples and give information about the policy. For people or employees who understand better through examples than this is very important. I also like how the acceptable memory usage policy was described well. Where can one find out more about the Realated policies like: Army AR 380 or AR25-2, etc?
I like that your policy added a training and policy review section. The training section was great because not only did it mandate training in writing, but it stated who would receive the training and more critically when they would receive the training. The addition of a training certificate at the completion of training to be retained by the business is a good idea too. I might suggest that the training might be annual/semi-annual for all employees to continue to facilitate policy awareness throughout the employees’ employment with A3N. The section requiring policy review within a specific period is great because at a minimum your policy ensures that it will be reviewed every 24 months, and more importantly whenever a data breach occurs to ensure the policy’s scope is valid.
I think the way you did your presentation was good too. Adding in short “scenarios” applicable to specific sections of the policy helps visualize those portions for employees and can help imprint those images into the mind to draw on later if those scenarios pop up for those employees. The flow in your video was seamless and well done too.
Sean,
Thanks so much for the feedback. That’s a great point about specifying when retraining should occur. It could even be tied into that “event of a data breach, policy will be reviewed and retraining on the policy is required”
The video was surely a challenge. We did think about, what points we wanted to highlight to help drive the behavior we would want from employees.
I agree that the training was a great addition as well as the outcomes if the policy wasn’t adhered too. The addition of training and outcomes of non-compliance with the policy makes expectations for A3N and applicable users were clear including monitoring. There are no surprises.
Sean – your recommendation for a training certificate is a good idea and provides an artifact for memorializing that training happened.
An additional recommendation is for a point of contact for the policy in the event that someone has a question or needs to report an incident.
I will probably read more about using color coded RMDs because I haven’t seen that type of policy before.
This was informative.
Ivy,
Great call out. As I was reading your respective groups’ policies, I realized it was an obvious omission. This would clearly be an opportunity to identify the appropriate responsible/accountable person or group that manages the policy.
Team 1,
Great job on the acceptable memory usage policy. Especially when working with the DoD, adherence to security standards such as the NIST SP 800-171 is crucial for the business. As a suggestion, I believe that adding a portion that talks about the what type of data could be or not be stored with RMD would be beneficial to the employees. Such things as data classification pertaining to DoD or commercial use, should be segregated and treated differently. Overall, your policy covers the major areas pertaining to this topic. Thank you very much for the knowledge
Also, I don’t know if it’s just me, but I was not able to watch the video. It gives me a playback error.
Loi – you can try accessing the video directly via https://www.youtube.com/watch?v=ylaVSP1hG3g&feature=youtu.be
Loi,
Good feedback! – Thanks for your suggestion on clarifying the types of data that can and cannot be stored on an A3N approved RMD. I agree specifying such information will be beneficial to new/existing employees. However, under the acceptable use section of the policy and through the video, we tried to communicate the message that A3N employees are allowed to store only “sensitive” official/company related data on A3N approved RMDs (i.e cannot be used for storing all other non-company related data), period.
Under 6.3 Exceptions, in what case would an exception be made? I would think that if you’re a government contracting firm that the exceptions are rare. Also who on the InfoSec team can determine the exception? I thought the policy was very informational and clear, I especially like the real world examples in the video.
I like the “demo” which give some examples to explain what employees should not do. Using “demo” can give employees a directly visual information to help them understand the policy. All of situation is simple but employees will do them without realizing it. When they watch these demo, it will help them review their action. Then, it is helpful that you support a way for the employees, which they can ask questions about this policy. This is valuable for improving policy in the future. However, maybe you can just show some important points in the slides to help employees to get the point instead of write down all of thing in it.
In the document, I like the part which tell people what should they do when they actually make mistakes. Nobody can follow this policy at the beginning or forever without any mistakes. Telling them what should they do and what kind of responsibility that they should take are effective ways to reduce the influence of risk. Then, it is good that you also make a rule for reviewing this policy, which can make rules more suitable for the company. However, I have a question what kind of information are be considered to sensitive information?
I agree with my teammates Xiodi and Joe in that the video was extremely informative. Team 1 did a great job of using the video as a way to give examples and give information about the policy. For people or employees who understand better through examples than this is very important. I also like how the acceptable memory usage policy was described well. Where can one find out more about the Realated policies like: Army AR 380 or AR25-2, etc?