Acceptable Use Policies: Security Hygiene Starts with a Healthy Dose of Training
Guest post by Lysa Myers, security researcher, ESET
In my last post, I discussed the steps to performing a healthcare IT risk assessment. Once you’ve determined the risks within your environment, an important part of addressing those risks is to set up policies about acceptable use – formally known as Acceptable Use Policies (AUP) – for your staff members and then to train your staff accordingly.
The weakest link in most security chains is the human element, namely people thwarting protections put in place, intentionally or by mistake, or simply through lack of understanding. But how do you set up policies and train people if neither you nor the people on your staff are particularly security-savvy?
Trainings and Templates
If you’re starting at or near ground zero when it comes to information security knowledge, the first question to ask is: Would be better to train someone to become your security guru, or to simply improve overall knowledge within the organization and establish common-sense usage policies?
Unless you have someone in your organization who is dedicated to IT tasks, it may be difficult to mandate security training, but it’s wise to have a security-conscious person handling your infrastructure. At a minimum, when you train the rest of your staff on their security roles and responsibilities, your IT personnel should go through at least as much training: they will likely be in charge of setting up the protections that are to be used by the rest of the organization.
If you have a smaller healthcare organization, you can still create an AUP, without a security guru. In fact, having a less complex organization simplifies the definition process. In this case, something which is focused on healthcare and yet very simple, where you can “fill in the blanks” could be quite helpful: HealthIT.gov provides a template that could work well for smaller organizations.