1. Home
  2. Training Library
  3. Procedural and people security [CISMP]

Policies and procedures

Start course

Procedural and people security is a key part of Information Assurance. Threats are not only external; they may also originate with or involve staff/ex-staff members. Therefore, it’s essential that all staff follow correct policies and procedures so they foster an appropriate security culture.


Mark: Hello, and welcome to our studio at QA today. I'm joined with my colleague Dave Doody, and today we'll be talking about Acceptable Use Policy, and about practice and restrictions in computer technologies. So, Dave, welcome. Can you just introduce yourself to the people listening? 

Dave: Hi Mark, I'm Dave Doody, I work for QA. I'm the Training Delivery Manager for the Cyber Security team, and my previous employment I was working at BT as their Training Delivery Manager for cyber security. 

Mark: Excellent, thanks for that. So, I'm just going to jump straight into it. So, someone joining a company, what requirements are there for that? 

Dave: Well, an organisation, any company, there's a number of things that they must do prior to an employee turning up. First of all, they're going to make sure that they've done some background checks on the individual, to ensure that they are of a suitable nature. You know, have the, the right character for the job. And then they're also going to make sure that they have an employment contract written that explains an awful lot of things in relation to their employment. Who, who is their boss, what is the working hours, how much holiday they're entitled to, and so on and so on. And then on-, when they turn up at the organisation, the employee will have an awful lot of documents to read. Various policies, processes, and procedures that they need to understand, and these policies range from health and safety, security policies, physical security policies, acceptable use policies. And an acceptable use policy can be broken down into various areas. And these will cover how an employee should treat fellow employees and customers, how they can use their telephones, their company equipment, their laptops, their desktops, what computer or websites they can go onto, what social media sites they can go to, and, and what's expected of them, and a whole plethora of other information. 

Mark: So, people will have joined, and probably gone through some form of induction training, which probably would have covered some of that material? 

Dave: Yes, yeah, definitely. Most organisations do have a formal induction either day, or couple of hours, or even a week. And what happens there is they will be brought in together with maybe other new employees, and sometimes senior managers will come in and give the history of the company, and what they expect, and what they are-, the company is there to do and deliver. And they will also be given documentation on what to read. These policies that we just mentioned before. 

Mark: Yes, yes. So, monitoring. What type of monitoring is taking place in the business? 

Dave: So, monitoring ranges from senior management all the way down to-, down to the team level, really. So, you'll have people like the DPO, the Data Protection Officer. You'll have the legal team observing, you'll have HR involved in what's being delivered and how it's being delivered, and also the line managers, and supervisors for the teams will be looking throughout the year and carrying out awareness programmes, and-, 

Mark: So, that would probably cover, sort of, internet usage. So, is there any form of sanction then, for this carrot and stick type of approach? 

Dave: Yes, there is. You know, do as you're told, and if you don't, then we-, you know, there's gonna be repercussions. 

Mark: Yes. 

Dave: You know, so, it could be-, it could be, dare I-, dare I say it, criminal activity that they're doing, so they could end up in a-, in a court of law, or they could be even, you know, discharged from the organisation. You know, fired. 

Mark: So, potentially, there could be, like, an insider threat, which obviously we'll discuss probably later on in the course. 

Dave: Yes, yeah. Exactly. 

Mark: So, internet usage would probably cover some of the things and elements that you are talking about there. So, let's just go into blackmail and coercion, because, you know, obviously, people could get-, could be turned by people. What do-, what do you understand by that, blackmail and coercion? 

Dave: So, blackmail, really it's an individual who's putting themselves-, they have a vulnerability that can be utilised against them, and also to help enhance the individual who's carrying out the blackmail. So, an individual-, a good-, when I say a good example, an example of this will be somebody who maybe has a gambling addiction, and throughout their gambling addiction, they've created a debt, you know, to either a group of people, or an individual, or to an organisation. And if they're of a criminal nature, they might want their money back rather sharpish. 

Mark: Yeah, that's quite interesting.

Dave: Yeah. 

Mark: I just want to just move straight into, sort of, hospitality. What would be-, what would be deemed as acceptable hospitality? 

Dave: Acceptable hospitalities are items. Gifts that are of a low cost, you know, financial. You know, a pen. A bamboo cup that we give away at QA for people who come in and attend courses. Or, you've got the more, you know-, you know, exponential type of item. Laptops, computers, holidays, World Cup Final tickets, Wimbledon Final tickets. You, you know, they are exceptional value, and may not be, you know, deemed suitable, because it could be-, it could hold a-, the organisation or the individual in a position where they may be, you know, they may feel they owe the people who's given them the tickets something in return. 

Mark: So, you'll probably log this in some form of a form, would you? Is that it? 

Dave: Yes, yeah, there'll be a catalogue that the individuals who-, when they receive the gift or take a gift from somewhere, they have to say what it is, who's provided the gift, how much is that gift valued at, you know, the date it was received. 

Mark: Thank you very much, Dave, for that interesting insight into that subject.

About the Author
Learning Paths

A world-leading tech and digital skills organization, we help many of the world’s leading companies to build their tech and digital capabilities via our range of world-class training courses, reskilling bootcamps, work-based learning programs, and apprenticeships. We also create bespoke solutions, blending elements to meet specific client needs.