Why Should Your Employees Sign a Policy Acknowledgement Form?

What does it mean for your employees to acknowledge your employee policies and procedures? To comply with information security standards, it’s required that all employees have expressed acknowledgement of the policies in place within your organization, specifically through a policy acknowledgement form for things like your information security policies and employee handbook. Having policy acknowledgement forms is an important piece of the puzzle when it comes to policy development and meeting information security standards.

What is an Employee Policy Acknowledgement Form?

An employee acknowledgement or policy acknowledgement form is a simple form employees are asked to sign to acknowledge that they have reviewed and understood the company’s policies as expressed in onboarding material, the employee handbook, or documentation announcing policy changes. Acknowledgement forms help organizations track who has been informed of policies and policy changes and whether employees are happy to confirm that they understand them. Acknowledgement forms are useful for all policy areas, but they are particularly important for policies that affect information security and regulatory compliance.

Why Should You Develop a Policy Acknowledgement Form?

It’s a smart idea for your organization to require employees to sign a document that acknowledges they have read and understand your policies. At the very least, a policy acknowledgement form is helpful in determining which individuals claim to have read through your employee handbook or information security policies.

Any time your organization creates a policy or expects a new procedure to be followed, you should distribute that documentation and attach a policy acknowledgement form. It’s your job to keep your employees informed, and this will aid your compliance efforts. It’s just another layer to make sure you’re practicing due diligence in your organization.

When it comes to the audit process, you can expect an auditor at KirkpatrickPrice to confirm that you have policy acknowledgement forms regarding any information security policies you’ve given to your employees. This shows an auditor that you not only have policies in place, but you require your employees to express their understanding of those policies. What’s the point of a policy if your employees don’t implement the practice?

What to Include In a Standard Policy Acknowledgement Form

You know you need a policy acknowledgement form, but what should it include?

We’ve put together an example to show the main areas you need to hit on in your policy acknowledgement form. Start by addressing the party you are requiring to have read your policies, explain which document they are acknowledging, share your expectations regarding the implementation of the policies, and include an area for a signature.

It’s not as complicated as you may have thought, but it’s important!

An Example Acknowledgement Form Template

 

Developing a policy acknowledgement form that covers all the bases is a sign of an organization working diligently to create a secure environment. Make sure you’re the type of organization that focuses on implementing information security policies and procedures that help mitigate your risks and address your vulnerabilities. If you’re looking to learn more about the basics of compliance or policy development, contact KirkpatrickPrice today!

More Policy Resources

SOC 2 Academy: Expectations of Policies and Procedures

Privacy Policies Built for CCPA Compliance

Guide to PCI Policy Requirements

What to Include in Your Employee Handbook

What’s the purpose of an employee handbook? Why are you required to have a detailed employee handbook to be compliant with information security standards? What should you include in your employee handbook to meet these standards? These are all great questions you might have when you’re preparing for an audit. Let’s start with a quick explanation of the purpose of an employee handbook and how a well-designed handbook can add to your information security policy.

Why Does an Employee Handbook Matter to Your Information Security Policy?

Your employee handbook is the center of your company culture. It answers the questions that your employees have about your policies surrounding employee conduct, benefits, and more. Without it, your organization wouldn’t have a standardized way of addressing these general employment topics and employees wouldn’t know what is expected of them in the workplace. If this baseline isn’t established, how could you expect your employees to follow other, more complex policies?

On the most basic level, your employee handbook should include the following sections:

  • General Employment
  • Employment Status and Record Keeping
  • Working Conditions and Hours
  • Employee Conduct
  • Employee Benefits
  • Timekeeping and Payroll

While this list of policies to include in an employee handbook isn’t exhaustive, it is a great example of where you can start developing information security policies that will help you comply with information security standards. For a detailed look at each of these sections, download our more extensive list.

 

 

The purpose of developing strong information security policies is to minimize risks to your organization and protect against vulnerabilities. By giving your employees clear guidelines on security procedures, you’re enabling your organization to be better protected against security risks. Whether you’re completing a HIPAA audit or a SOC 2 audit, you can expect your information security policies to be tested for clarity, detail, and accuracy.

So, what role does your employee handbook have in an information security audit? In any audit, you will be asked to provide your employee handbook and it will be reviewed for clarity, detail, and accuracy. It’s important for your employees to understand your policies comprehensively in order to put proper security procedures in place. If they don’t understand your employee conduct policy, could that lead to malicious activity? If they aren’t away of your Internet usage policy, could that open your organization up to more risks? On the other hand, if you don’t have an employee handbook, how can your auditor gauge the integrity and culture at your organization?

At KirkpatrickPrice, our clients upload their employee handbook and other information security policies into the Online Audit Manager for auditors and audit support staff to review. Instead of sending files back and forth insecurely, you can do it all in a simple action in the Online Audit Manager. This is all part of our streamlining process so that most of the work involved in the audit is done online.

Make sure you’re working with an auditor, like our senior-level Information Security Specialists at KirkpatrickPrice, who will properly review your employee handbook and other information security policies during the audit process. Don’t wait until it’s too late to make sure your policies comply with information security standards, contact us today!

More Resources

Choosing the Online Audit Manager: One Tool, Multiple Audits

Quickstart to Information Security Policies for Startups

Choosing an Audit Partner that Makes Sure

3 Data Retention Best Practices

Today’s organizations rely on data to fuel their business processes. Whether it’s the healthcare, financial services, hospitality, federal government, retail, telecommunications, or education industries, there’s sensitive assets that malicious hackers can – and will – steal.

With the growing amount of data collected by various organizations and industries, it’s no wonder why creating and enforcing a robust data retention policy is necessary. However, because of the rapidly changing threat landscape and new data privacy laws and regulations, it can be tricky for organizations to know what data they need to retain and for how long.

Let’s take a look at some data retention best practices and how following them can help your organization establish and enforce a more compliant and useful data retention policy suitable for your organization’s needs.

What is a Data Retention Policy?

A data retention policy is documentation that your organization has created to stipulate when data no longer serves its purpose and should be deleted, or if the data retention period has been met. Implementing a data retention policy begins by knowing what kinds of data your organization holds and then classifying that data.

Data Retention Policies are critical to ensuring all local and federal regulations and retention schedules are being met. This includes retaining data and records for the specified period of time, and also prompt deleting or destroying records once the retention policy is up.

What are Best Practices for a Data Retention and Purging Policy?

1: Identify and classify the data your organization holds

Implementing a robust data retention policy begins by knowing what kinds of data your organization holds and then classifying that data. For healthcare companies, this could be PHI such as patient names, dates of birth, Social Security numbers, medical data, and histories, or prescription information. For financial services organizations, this could be CHD, PINs, credit scores, payment history or loan information.

Classifying data is a best practice for data retention because not all data requires the same retention.  Recognizing this, many frameworks and legal regulations have specific requirements that encourage organizations to classify data. For example, the 2017 SOC 2 Trust Services Criteria requires that service organizations who include the confidentiality category in their audit demonstrate that they identify and maintain confidential information to meet the entity’s objectives related to confidentiality.

For GDPR compliance, organizations that handle the personal data of EU data subjects must classify the types of data they collect in order to comply with the law. Additionally, GDPR categories certain data – race, ethnic origin, political opinions, biometric data, and health data – as “special” and therefore subject to additional protection.  This not only means that organizations need to know what types of data they hold, but they also need to be able to label that data such as public, proprietary, or confidential.

2: Know which legal requirements apply to you

Within the last few years, there’s been a renewed focus placed on data privacy, leading to an increase in new, complex data privacy laws and regulations across the globe that generally include data retention standards. In addition to the mix of regulatory frameworks organizations are already tasked with complying with, organizations may also have contractual and business needs that dictate data retention schedules.

For instance, if an organization has to comply with the data retention standards for GDPR and the PCI DSS, how do they know which data retention requirement to follow if there is a conflict or difference between the two requirements?

This is why when following best practices for data retention, organizations should consult with either internal or external regulatory compliance specialists to determine which legal requirements for data retention apply to their organization.

Best Practices for Data Retention: a cheat sheet for PCI, GDPR, CCPA, HIPAA, FERPA, GBLA, & More

3: Delete data once it is no longer required or after the data retention period has been met

This is a critical best practice for data retention that many organizations fail to follow because they believe that holding onto data longer than required could be more secure than deleting it and needing it later. However, this misconception couldn’t be further from the truth.

Holding onto data longer than required by law or longer than needed for use can have various ramifications, including but not limited to:

  • Increasing chances of experiencing a data breach or security incident
  • Placing client data at greater risk for being breached
  • Contributing to cluttered hardware and/or software, making it difficult to find data that’s actually needed
  • Expanding the regulatory compliance burden related to data access

Ultimately, in order for an organization to implement an effective data retention policy, data that no longer serves a purpose to the organization or data that has been held for the required retention period should be deleted.

If your organization collects, stores, or transmits data, it might be time to re-evaluate your data retention policy. To learn more about how you can follow and implement these best practices for data retention or find out how KirkpatrickPrice can help you ensure compliance with data retention requirements, contact us today.

More Data Privacy Resources

Privacy vs. Security: What’s the Difference?

Destroying Media When it is No Longer Needed

Are You a Data Controller or Processor? 

Business Continuity and Disaster Recovery: How to Avoid a Crash Landing

I Piloted an Emergency Landing, and So Can You

It can be easy to put business continuity and disaster recovery planning on the back burner if your organization has never been affected by a disaster. But what would happen if a power outage, tornado, or data breach hit your organization and you didn’t have any plan in place? Disaster strikes when you’re least expecting it. It’s critical that you ensure that your organization is prepared. Learning from the experiences of others who have survived emergency situations is a key way to better prepare your organization for disaster.

On June 23, 2018, I was flying home from the Miami area to Tampa after finishing some charity work, piloting my private airplane. As I was flying over Lake Okeechobee and without any warning, the engine of my plane fell silent – something I never wanted to hear. I quickly realized that I had just nine minutes to implement an emergency landing plan before my plane would crash. Because of extensive preparations, I was able to successfully pilot my plane to the ground without harm using six basic steps. The same six steps that helped me pilot an emergency landing can also help your organization navigate a disaster. Let’s review the following steps:

  1. Prepare for an incident
  2. Diagnose the problem
  3. Determine your assets
  4. Determine your options
  5. Prepare for curveballs
  6. Make a post-action report

Preparation

If we could predict disasters, we would avoid them – but we can’t. Avoiding disaster is essentially impossible but preparing for an incident can help lessen the impact. So, how can you prepare for disaster? Training and practice are key ways that you can prepare your organization for disaster. Your disaster recovery team should be continuously practicing the steps it would take to implement your business continuity and disaster recovery plans. Placing your disaster recovery team under heightened stressors will also assist in better preparing them for the high levels of stress that will occur when disaster does hit. Your plans should be like muscle memory for your team; each member must be intuitive about how your systems work. During my flight, knowing systems like my GPS, engine, radio, and fuel gauge was critical, just like knowing your firewalls, applications, networks, and cloud environments will be critical.

What’s the Problem?

When disaster strikes, noticing how the problem stands out from what’s expected is critical. We all know what the inside of plane sounds like, right? There’s a buzz in the air from the sound of engines and wind. When my plane went silent, I knew something was extremely wrong. Your employees must be trained to notice anomalies in your systems without delay. Once the problem is diagnosed, the incident must be reported immediately. This will allow your organization to put more resources on the problem.

What are Your Assets?

In high-stress situations, determining your assets is a way to focus your team and identify the problems at hand that can be solved. During my flight, I quickly identified my assets as the time I had to land, the nearest airport, and my training. You should always be looking for unexpected assets, though. In my case, it was help from the local sheriff’s office. In your situation, it may be outside help from a PR firm or IT consultant. Having a focused mind will allow you to uncover these assets.

What are Your Options?

Often times, the number of options to mitigate disaster-related problems can be overwhelming. I don’t want  you to get lost in this, though. Keep as many options open as possible, but eliminate options immediately once they’re no longer viable. You need to analyze options and commit to a plan, not fixate on or misinterpret facts.

Prepare for the Curveball

Even if you have a business continuity and disaster recovery plan, things don’t always go the way they’re planned. You must keep this in mind as you’re strategizing how to recover. When I decided to land my plane on a highway, I knew that powerlines, an oncoming semi-trick, and a slow-moving Sedan were in my way. What did I do? I prepared myself for these obstacles and didn’t let them overwhelm me. If you’re in the midst of dealing with a major data breach and a malicious hacker makes a ransom demand, you cannot give up. Manage the incident all the way to the end.

Make a Post-Action Report

Congratulations! You’ve made it through the disaster. Celebrate your successes and don’t be discouraged if you didn’t do everything perfectly—you won’t and I didn’t. But you can learn from your mistakes. At this point, you’ll need to question how you can improve your plan. What could you have done differently? Is there additional training or practice that your disaster recovery team needs to be put through?

While we can’t prevent disaster from happening, we can set our organization’s up for success by creating, practicing, and implementing business recovery and disaster recovery plans. Following these six steps will allow your organization to be best prepared for when, not if, a disaster hit. Remember: extraordinary events happen on ordinary days. Will you be prepared?

Ready to get started on your organization’s business continuity and disaster recover plans? Find out how KirkpatrickPrice can help you create business continuity and disaster recovery plans.

About Randy Bartels

Randy Bartels serves as Vice President of Security Services at KirkpatrickPrice. His experience crosses a wide range of information technology disciplines including security and network architecture, software lifecycle management, operations, and penetration testing. Randy is responsible for leading complex engagements and investigating risks in new areas of technology. He holds CISSP, CISA, CSSLP, and QSA certifications.

More Disaster Recovery Resources

Business Continuity and Disaster Recovery Planning Checklist

3 Steps for an Effective Disaster Recovery Plan

Cloud Security: Business Continuity and Disaster Recovery Planning Checklist

Password Expiration Policy and Best Practices

Microsoft’s Password Guidance recommends that passwords be set to never expire. Microsoft argues, “Password expiration policies do more harm than good, because these policies drive users to very predictable passwords composed of sequential words and numbers which are closely related to each other.” NIST’s guidance suggests, “Verifiers should not require memorized secrets [passwords] to be changed arbitrarily. However, verifiers shall force a change if there is evidence of compromise of the authenticator.” These concerns and suggestions are valid, but we believe that moving away from password expiration policies altogether is problematic.

What Makes a Strong Password?

Creating an effective password expiration policy goes hand-in-hand with creating a strong password. Both NIST and Microsoft guidance highlight a need to move away from traditionally accepted strong password best practices, such as:

  • Character length
  • Character complexity
  • Expiration date

Instead, NIST and Microsoft claim that strong password best practices should include:

  • Banning common passwords
  • Educating employees to not use their organization credentials anywhere else
  • Enforcing multi-factor authentication (MFA)
  • Enabling risk-based MFA

Following these new best practices and ensuring that users create strong passwords could allow administrators to implement less frequent password expiration dates.

KirkpatrickPrice’s Best Practices for a Password Expiration Policy

At KirkpatrickPrice, we have found that eliminating password expiration policies can lead to a weakened security posture. Users are still likely to create and use hackable passwords, such as variations of birthdays, anniversaries, names, addresses, and other personal information. Because of this, establishing effective criteria for strong passwords and implementing a password expiration policy is crucial in maintaining a strong security posture. To accomplish this, we recommend doing the following when developing a password expiration policy:

  • Education and Training: A key to maintaining a strong security posture is continuously educating and training users on the importance of creating strong passwords. Administrators must set the tone for establishing strong passwords through proper security awareness training. Users must understand what constitutes a strong password, and also what password expiration policy is in place and why.
  • Utilizing MFA: MFA allows users to confirm their identity by successfully presenting two or more pieces of evidence to an authentication mechanism, reducing the risk of compromise. Without MFA and password expiration dates, users are much more likely to be hacked or to be unaware that a hack has occurred.
  • Setting a Timeframe for Password Expiration: It is imperative that a password expiration policy be established. Though research has shown that frequent password expiration dates can be detrimental, that doesn’t mean that you shouldn’t set password expiration dates at all. For example, your password expiration policy could be that passwords expire every two years, but those passwords must meet certain strong password criteria and require the use of MFA.

How is MFA More Secure than 2FA?

Because frequent password expiration dates have been industry standard, moving away from that best practice might seem unnerving. Using two-factor authentication (2FA) and MFA, though, can serve as an additional step in maintaining a strong security posture. However, while a 2FA system is a growing best practice, it isn’t guaranteed to shield against cyberattacks; 2FA systems can be easily bypassed. Instead, we suggest using an MFA system to better ensure security because it requires several separate pieces of evidence to confirm a user’s identity instead of just two. How are you ensuring that your employees’ credentials aren’t compromised?

Have you reviewed your password expiration policy? Do you need help developing your organization’s security awareness training? Ensuring a strong security posture doesn’t need to be challenging. Let us help! Contact us today for more information on how KirkpatrickPrice can assist you in implementing these password expiration policy best practices.

More Resources

The 8-Character Password is No Longer Secure

Choosing Secure Passwords

Two-Factor vs. Multi-Factor Authentication