6 Things You Should Tell New Staff About Information Security

17th July 2018

There are many important policies, procedures, and other things to inform new staff about. It can often be daunting since there’s so much! Don’t forget these 6 key things you should tell new staff members about Information Security.

  1.    Clear Desk Policy

A Clear Desk Policy is one of the most important Information Security Policies that you should inform new members of staff about.

It should set out your expectations for how an employee should leave their desk when they’re not around, and will usually include points such as locking computer/laptop screens, locking away any notes and documents that contain personal information (even sticky notes!), and having a tidy desk.

Lack of awareness, or simply not following the Clear Desk Policy can lead to severe data breaches, especially in shared offices and enterprise centres, where personal or confidential information could be on display.

You can find the NHS’ Health Care Industry example of a Clear Desk Policy here.

  1.    Mobile Working Policy

On some occasions, it may be necessary for specific staff members to work away from their normal office (see The Telegraph’s ‘Seven reasons why home working is the future’ here), this is referred to as mobile working and includes working from other offices, or from home.

It’s essential to protect any information or data worked on outside the normal office location in the same way you would at your normal office location. This includes active virus protection, being aware of other people overlooking as you work, or stealing mobile working devices. If it’s likely the new employees will be working somewhere other than their normal office, make them aware of your Mobile Working Policy to avoid potential data breaches.

  1.    Information Transfer Policy & Dealing with Third Parties

Sending and receiving information with colleagues and third parties presents risk.

Your Information Transfer Policy will state how you need to encrypt information and data throughout the transfer process for many methods of communication, including email, phone call, text messages, and more.

Handling personal information on a phone call, while at a location where other people can hear you, or attaching confidential information to an email without protecting it, are critical errors, no matter how accidental.

  1.    Explain the classification of information including any personal data you handle

It’s important that new employees understand the types of information they might need to handle as part of their job.

Often, organisations classify different data types in terms of the sensitivity and criticality to the business. You could use a classification scheme like this to determine how you or your employees will handle certain data.

Make sure you communicate this before employees start processing data.

  1.    How to report a suspected incident or breach

Every organisation should have a point of contact, to whom someone should report a suspected incident or data breach.

For example, you may report to your IT Department, or perhaps you have an Information Security Specialist.

Either way, it’s important that new employees are aware of how and who to report alleged Information Security Incidents to. This way, a specialist can tackle the problem.

  1.    Who to go to for further help

Whether there’s an individual, department, procedure or policy, make sure that your new employees know how to get further help with Information Security.

Guest Blog written Assent Risk Management.