The first step to cybersecurity compliance lies in creating controls. Nearly every standard or regulation requires you to establish policies, procedures, and protocols. However, the adage holds: “actions speak louder than words.” Ensuring that everyone within the organization complies with policies and procedures can sometimes be a more formidable process than creating them.
Ensuring Compliance with Policies & Procedures
Why company policies matter
Company policies act as your written compliance guide. All compliance requirements require written policies and procedures that establish baseline security controls. These requirements primary exist to ensure that senior management knows their job and has executed oversight appropriately.
However, written documents only assess intent. For example, you can write down in a policy that you intend employees to establish strong passphrases. You can even set specific controls over the number of letters and special characters. Unfortunately, everyone knows where the road of good intentions lands them.
According to the LastPass 2018 Global Password Security Report, however, the majority of employees do not create secure passphrases despite these policies and controls. Based on their review of 43,000 organizations who use their password management platform, LastPass found that 43% of the top 30 domains employees use are popular consumer applications and that 50% of people use the same passwords for personal and work accounts.
What does this mean regarding compliance with policies? It means that you can create policies and procedures, but you can’t be sure that employees are following them. You can include requirements for password security as part of your employee policies, but you can’t see if they’re following them, especially if they’re reusing passwords across personal and professional life.
Why non-compliance matters
The Healthcare Insurance Portability and Accountability Act (HIPAA) provides an excellent example of what employee non-compliance can do to a business. Under HIPAA, healthcare providers must protect protected health information (PHI) and electronic PHI (ePHI). Although HIPAA doesn’t set prescriptive password requirements, both NIST Special Publication 800-63B and HiTRUST suggest password complexity controls.
Under HiTRUST, which aligns to NIST, mid-level healthcare organizations must have passwords protected from unauthorized disclosure and modification when stored and transmitted, cannot be included in any automated log-on process (e.g., stored in a macro or function key), and must be encrypted during transmission and storage on all system components. Additionally, organizations must create temporary passwords that are unique to an individual and not guessable.
In short, a password such as 12345 or Password1234 would likely be guessable leading to non-compliance.
When it comes to HIPAA, non-compliance carries hefty fines. At a minimum, an accidental violation (under which passwords could fall) can lead to a minimum of $100 per violation with an annual maximum of $25,000 for repeat violations. However, the maximum penalty can be $50,000 per violation with a yearly maximum of $1.5 million.
However, with healthcare breaches increasingly arising out of criminals obtaining passwords, a case can be made for weak access controls being considered willful neglect. In that case, the fines can increase to a minimum of $50,000 per violation, with an annual maximum of $1.5 million. The maximum penalty here is the same as the minimum.
Ensuring that your employees know their responsibilities and follow act in compliance with your policies becomes a primary issue that you need to address.
5 Step Guide to Ensuring Compliance with Policies
Step 1: Make Sure The The Employee Handbook Sets Clear Expectations
Senior management needs to ensure that all employees are meeting compliance requirements. As part of their job, the c-suite must establish clear goals, including but not limited to setting conditions for employee device use at work, employee password hygiene, and employee remote access authentication.
Step 2: Get Human Resources on Board
HR is your gateway to your employees. They onboard new team members and establish the tone of your compliance program. HR needs to make sure that reviewing compliance policies and employee handbooks is part of the onboarding process. They need to document this review, which can be as simple as an employee signed attestation or as complex as a grade on a quiz.
Step 3: Establish Clear Procedures for Employee Misconduct
Just as you can create policies and ensure training, employees can choose to ignore those. If you don’t have procedures in place for employee noncompliance, you place your organization at risk. You need to incorporate, as part of your employee handbook and HR policies, what steps are taken in the event an employee is found in noncompliance with cybersecurity policies.
A password security problem may lead to a verbal warning, but if the employee shares the password with someone outside of the organization, you might want to consider a written notice. Additionally, you need to consider how many policy violations you’re willing to allow. Another consideration would be determining the employee penalty for not using a firewall or malware on a personal device that the workforce member uses when working remotely. While policies and new member training act as the first steps to ensuring employees protect data, giving those requirements teeth solidifies your commitment to cybersecurity.
Step 4: Create an Ongoing Training Requirement
Cybersecurity changes daily. A once-and-done approach to employee cybersecurity training won’t protect you nor will it maintain compliance. It’s likely that you will establish new policies or update old policies. Employees should review policies at least annually or when you make changes or additions.
Moreover, your ongoing training should address cybersecurity issues based on job description. Marketing and HR employees handle different types of information. Therefore, they need role-based training that secures your data and your oversight.
Step 5: Document Everything
No matter how well you oversee your employees, you need to document your work. Your internal or external auditor needs to know how you plan to manage your employees as well as how you manage your employees. Thus, you need to gather all training documentation, written warnings, and any termination documentation proving your oversight.
How ZenGRC Can Help Manage Your Employee Compliance
With ZenGRC, you have a single-source-of-truth for all your compliance documentation. With our platform, you can store all your written policies, procedures, and processes as well as your training information.
ZenGRC also incorporates workflow management capabilities that allow your compliance officer to assign tasks to individuals across the enterprise and track task completion, easing the barriers inherent in email tracking.
For more information about how ZenGRC can enable a more streamlined approach to overseeing employee compliance with policies, contact one of our specialists.