Discovering that you need to start the road of training your staff to pay attention to their IT Security can appear to be a daunting process.
There are so many rules and so many worries but if you break it all down into steps you can get through the process easily. IT security shouldn’t stop at the computer. It should start at your front door of your building and then end at the desk.
As you walk through your building think about the vulnerabilities of the paperwork, the data, and the safety of your personnel and equipment, then decide how to lock it all down.
Document your ideas as you go. As you walk each step, review the processes and consider the job qualifications and how you might have to change the job skills, job descriptions, employee manuals and specific procedure manuals along the way. Again, it seems daunting, but it isn’t so bad, really.
Note Which Employees Should Have How Much Access and When
As you enter the front door of your business consider who should have access, during operating hours, after hours, who should have the code/keys and who should not have single directed access. Write those answers down. If you are listing by job description then you may have to change the job description to include security protocols, for example: don’t share your key/code, don’t copy your key/code, don’t leave your code written on your desk. If it is a general directive update the Employee Manual for everyone.
Then move into the offices especially offices where key data can be seen or stored. For example, if you have a receptionist but all they do is transfer calls and set up the board room for meetings then this computer may not need to be locked down. However, if the receptionist sends emails to personnel, clients or vendors then you need to check out that desk. Consider the data on the screen. If the data can be viewed by a bystander, cover the screen with data protective screens, and put virus protective software on it. If the data ever has personal information on it, then encrypt the computer and train the receptionist to lock that computer whenever they step away from the desk.
Complete these steps for each job type. Some will be Not Applicable; make sure you change the job descriptions and the employee manuals. Then training can begin.
You should update the manuals and job descriptions first so that you can have each employee sign off on the new responsibilities after the training. Encourage them to ask questions and to review the procedures. Place the security procedures in easy to find and shared files so each employee can review them at will or when you find holes in their behavior.
That reminds me, as you create the processes, make sure you also create processes to validate that the employees are following the protocol.
Now it is time for Training. Create visual, written and reminder guides if needed for each job description. Then set up mandatory meetings to review the requirements. Explain why the requirements are necessary, and also share the validation processes. Tell them how often and if you may be doing “surprise,” spot checks. The validation process and job descriptions should include consequences for not following the security processes.
Let’s set up an example. Suppose the position is a customer service representative for an EMR provider, a software as a service provider that handles doctor’s offices medical records.
Let’s presume that the building is secure, and you know who passes in and out and when.
Then let’s go to the office where the customer service rep’s desks are all jigsaw-puzzled in a room full of cubicles.
1. The screens should not be visible to people as they pass by. There have been stories of folks finding out about a friend’s or families medical conditions by inadvertently seeing screens with the data on them. Make sure the screens can only be seen when sitting directly in front of the screen.
2. Is the computer secure? Are log in standards set?
3. Is there an antivirus?
4. Since this computer may have PI data at certain times or has access to applications that have PI data, is it encrypted.
5. This person should have HIPAA training. Provide the training if needed; there are many companies that offer this online.
6. Review the Non-Disclosure agreement’s proper processes for not disclosing verbally, in writing, with friends, family and others.
To validate take each requirement and create a simple process to validate. Store the results for each person. Using the list above, here are validations.
1. Screen Use: Person A – requirement met
2. Log in protocol: Check to see if computer requires a log in and the password is not 1234—requirement met
3. Antivirus Protection: Acquire the certificate, save in a file where you can provide it as needed for an audit
4. Encryption: Get the certificate from the computer, save in a file where you can provide if you need it for an audit.
5. Require HIPAA and any other industry-specific training, ask each person to send the certificate upon completion and again store it.
6. Non-Disclosure: Require signature on the job description and employee manual. File.
Hold Employees to Task
Lastly explain that failing to meet the security standards in your company may result in job loss, and possible legal ramifications if there is an intentional breach. Include this in your employee manual. With each update, resend the employee manual inside a read receipt email. Have everyone sign it and keep it on file.
Set reminders to periodically ask for updates of certificates, and to review the protocols.