Home page logo

pauldotcom logo PaulDotCom mailing list archives

Security Operating Procedures and beating people over the head (fun fun fun)
From: k41zen <k41zen () live co uk>
Date: Wed, 14 Jul 2010 22:46:54 +0100

I'm curious as to what technical or physical measures you put in place that work to ensure people adhere to Security 
Operating Procedures (SOPs).

For example, we have a policy in place that states you must log off at the end of your working day. It could be any 
policy that they have to follow but lets play this out. Currently my team conduct a manual physical check noting desk, 
workstation, domain and user information before switching off or shutting down the machine when found. We are testing 
tools to automate this but are still in early stages.

Now this isn't the only area of SOP's that is currently not being followed. However I'm more interested in what you do 
with the result and what you've found that actually works. Does rewarding work better than punishing or does a 
combination of both work better?

I love beating people around the head to drum home the point BUT I wanted to take a step back and understand what this 
failed. In particular I wanted to know:

        1) Have people seen/signed SOP's? 
        2) Have they actually read it?
        3) Did they understand it and did it make sense?
        4) Are SOP's too big/badly written to get the information across?
        5) Do they simply disagree with SOP's?
        6) Have they attended the security awareness/inductions courses?
        7) Did they fall asleep half way through?
        8) Have they forgotten SOP's?
        9) Can they remember to security awareness training?
        10) Did they sign it too long ago?

After questioning someone, I did actually find that he did disagree with SOP's. Although he had signed it he was 
immediately escorted offsite.

One failing is that SOP's is too much of a mess. In fact, there are 8 documents that you have to sign depending on what 
you do and what kit you have. This is a mess and probably a big cause and even though I didn't write them am all over 
them taking them apart and re-writing.

To simplify matters I decided to email out little important snippets of SOP's and removed the dull crap around the 
actual point in an attempt to spice them up a bit. More of a "do this and you'll be fine" approach BUT we still found 
tonight that 20% of people left their machines logged on. So my immediate thought is to implement a technical power off 
switch because people are very busy and they do forget right?

I even spoke in person to a manager of an area we audit this morning to make sure he was happy for us to carry out this 
work. He replied with "I better make sure I log off tonight then" and laughed. Turns out that he didn't log off and he 
was only reminded 8 hours ago!!!!!!

So I'm back to what to do about it:

        1) Do I name and shame those that do not comply? 
        2) Do I praise those that do?
        3) Do I get them to by cakes? 
        4) Do I get each team to look out for themselves with the last man/woman in to check the team machines? 
        5) Do I get them to stand in the room naked and recite, as a town cryer would, the area of SOP's that they 
failed on? 
        6) Do I get them to hand over a digit of their PIN for every breach they conduct?
        7) Do I follow the breach and points system to punish?

We operate a point system and after 12 points you are physically removed off site. Do I punish individuals and then 
after 6 points bring them in with their manager and warn that after another 6 they are off? I do believe that if it 
hurts people, if it really makes a difference to their take home pay, then they would listen. I'm personally in favour 
of this option. If people just get an email again reminding them to power off they maybe do it for a little while and 
then they stop - after all everyone is busy. 

But before I go down this route I wanted to check if there was an approach I was missing.

So apologies for the long email but I throw this out to you and ask is there anything else I can do and ask for 

I really do appreciate any advice/guidance you can offer.



Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
Main Web Site: http://pauldotcom.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]