Infosec Policy Acknowledgement in the COVID Era

Infosec policy acknowledgement tends to become an urgent topic at the most inconvenient of times.  During an audit, when your team realizes that new-hires haven't always been asked to sign all of the necessary policies.  During a response to an enterprise security questionnaire, when a procurement director asks to see the paper trail demonstrating that your team is committed to the policies as-stated.  Or worse, during litigation.  We'll leave that last one right there, without elaborating.

Here, we'll delve into what's changed with regard to infosec policy acknowledgement, on a Before vs During COVID basis.

Infosec Policy Acknowledgement: Pre-COVID Processes

Prior to COVID, many small businesses used what I'll refer to as a do-it-yourself (DIY) policy acknowledgement process.  This isn't the kind of DIY project where the finished product is a beautifully shiplapped wall to adorn a clever nook in your home.  It's the kind of DIY project that involves some aging policy acknowledgements getting scanned in from paper copies, some e-Signatures from one or more signature providers over the years, and (yes) some cases of walking straight up to a laggard and asking if they wouldn't mind signing the document today (by any means available)... because the person is the very last one that hasn't done it yet.

Yes, many small businesses had a special kind of chaos when it came to infosec policy acknowledgement, pre-COVID.  But ever since COVID?  You don't want to know.

The COVID Era

Because we tend to get involved when companies feel the pain of aging cybersecurity processes and tools, we've seen it all.  We've seen companies whose policy acknowledgements are in word documents with signatures "drawn" via mouse or trackpad.  We've seen barely-legible PDFs of scanned-in paper documents.  We've seen unfiled/unsorted Google Drive folders containing "all" of the signed policy documents.

In the COVID era, many companies who were struggling to hold together their DIY policy acknowledgement approach, finally hit the breaking point.  The geographic distribution of remote teams, the inability to walk up to a laggard and specifically raise the topic for immediate resolution, and the chaos of pre-existing filing systems all contributed to companies deciding that it was time to graduate to something better.

If you've read this far, there is a good chance that you are in that exact situation.  So, as the trusted cybersecurity partner for a great many small businesses, let me point out some of the basics that should be a part of your online policy acknowledgement processes (and yes, you really should use Havoc Shield):

1. Per-Policy Timestamp Revision History:  you need the exact versioned history of every policy you role out; and you really need to be able to identify them by the timestamp at which they were last edited.  You do not want to get into a situation where there is some contested discussion about who signed which version of which policy.  In some situations, that information may not be possible to reconstruct.
2. Per-Employee Per-Policy Timestamp Acknowledgement History: you need the exact timestamp history of each employee's acknowledgement of each policy.  Do not leave this to chance.  The dangling/incomplete story in the header of this blog post -- the one that left a litigation story untold -- often traces back to sloppiness on this particular point.
3. Automated Signing Reminders:  please do not make humans your first line of defense in the effort to make sure that every employee signs every policy.  It is not a great use of time (and, often doesn't go well), when there are employees that are on the "critical path" of getting the company to 100% policy acknowledgement.  An unplanned vacation, a misplaced spreadsheet, or a reprioritized workweek can all quickly get in the way of that person sending reminders to each laggard until all policies are signed.
4. Paper or Plastic?  Neither:  the process really should be entirely online.  There is very little value in encouraging paper-based acknowledgement of policies, and it's dramatically more error-prone.
5. Grace Periods:  we need to collectively recognize that when an employee fails to acknowledge a policy by a stated deadline, there are sometimes real/valid excuses.  Unless you want employees being called while in the delivery room awaiting their first child, please recognize that some concept of a grace period (even if that grace period is just 48hr) is a healthy and reasonable workflow element to prevent resentment amongst well-meaning employees who simply need just a little more time.
6. 100% Completion:  after all of the above, and some one-on-one nagging if needed, you do need to land at the all-important destination: having all employees sign all relevant policies in a timely manner that will survive audit (be that an audit associated with SOC 2, ISO 27001, or whatever else)

Our online policy management system at Havoc Shield does all of the above and more.  Interested in learning more?  Drop us a line anytime; we're standing by!