Your policies and procedures are the backbone of your information security, privacy and compliance program. Everything else (configurations, tools, etc.) should be built on top of your policies. Policy acknowledgment is a requirement for most security audits. How important are policy recognitions? Your policies and procedures are the backbone of your information security, privacy and compliance program. Everything else (configurations, tools, etc.) should be built on top of your policies or should be created based on them. Consistency and transparency of policy and procedure to actual (day-to-day) settings, tools and configurations is required. The challenge is that the employees, the people who do things day to day, are often not the people who write or maintain the policies and procedures. This disconnect between who owns the policies and who implements and follows them can create problems, including security incidents. Policy recognition is required Because of the importance of policies to a functioning information security program, policy recognition is a common process that all employees must follow. Policy acknowledgment is also required by most auditing and regulatory frameworks like HIPAA and SOC 2. Ideally, employees don’t just acknowledge having read the policies, but actually understand them and can apply them to their work. . For the purposes of audits, recognition is the event to check off. Most companies conduct recognition of the policy when onboarding new employees and then annually thereafter. Since this is the same schedule that many companies use for security awareness training, policy recognition is often associated with security awareness training. Although this is the industry norm, it is important to educate employees about policies that change and get them to acknowledge that they are aware of policy changes, even if those changes do not correspond to the typical annual rate. not progressing well. The way we saw it is to send an announcement to a channel or a group or all of Slack. This announcement post must include the context of the policy or policies, a link to the full content of the policy, and then instructions on how to comment on the announcement post to acknowledge having read and understood the policy. only work for companies with less than 20 employees. Even with smaller companies, this process does not generate the type of evidence that an auditor is used to seeing, which makes your job more difficult at audit time. We built Haekka to create a centralized place for security in Slack or, as we like to call it, a security HQ in Slack. A key function of a security HQ is the ability to do policy acknowledgments. Our custom content feature makes recognizing policies simple and powerful in Slack. You can do this ad hoc or put it on autopilot by making policy acknowledgments recurring on a yearly basis. Quick and easy for employees. No jumping to other tools required. No new connection. 100% in Slack. No more hassle. Haekka handles notifications. Set a due date for your policy acknowledgments and Haekka will take care of reminding your employees until they do. Nice comprehensive evidence for audits and auditors. We create all the documentation you need for your audits. Your auditor won’t ask for any follow up. There are actually 2 ways to do policy acknowledgments in Slack with Haekka. Create a policy acknowledgment lesson (or add the policy acknowledgment as a lesson for your security awareness training). You can either link to your policies or put the actual policy content in Haekka. If you choose to put content into Haekka, Haekka seamlessly becomes the home of your policies and procedures. Create a policy recognition commitment. We recommend it for ad hoc policy announcements and acknowledgments. The use case is usually a new policy or a significant policy change. It’s quick and easy (think it’s done in less than 10 minutes). We’ve created a video to show how easy it is to create, assign, and complete a Policy Acknowledgment using Haekka in Slack.https://youtu.be/55KoFOSA34U— -At Haekka, we use our own app to do policy reconnaissance. This is the easiest way we have found to make them. Policy recons also fit well into a security headquarters in addition to security awareness training, regular security team engagements, and weekly content feeds.
*** This is a syndicated blog from the Security Bloggers Network of Haekka Blog written by Haekka Blog. Read the original post at: https://www.haekka.com/blog/slack-for-security-how-to-do-policy-acknowledgments-in-slack