Blog

Thoughts and ideas from It's Just Results
Top 10 Reasons Why Employees Are Not Applying Policies
June 30, 2019 at 8:00 AM
Top 10 Reasons Why Employees Are Not Applying Policies<br/>

It's Just Results knows that the best solutions and ideas come from teams. We prefer working with collaborative and innovative partners in security and compliance. One of our partners is ThreatSwitch.  

This is the second post created in partnership with ThreatSwitch, a cloud-based industrial security compliance solution that aims to radically simplify and automate high volume, data-intensive, and administrative tasks. Please visit threatswitch.com to learn more. 

ThreatSwitch invited us to continue to participate in their Partner Perspective series. The focus of the series is to share insights that you can use to improve your own security program and security policies.

Not following Policies is Common

A 2018 Kaspersky Labs study found that only 12% of employees know of an organization’s security policies and rules. This same survey said 24% of employees believe that the organization they work for does not have security policies.

Many companies have employees who are not aware of the company’s expectations of their behavior. The only way for staff to know their responsibility and their role in meeting security requirements is for these requirements to be documented, communicated, and shared. A written document establishes explicit activities and guidelines for employees to follow but without staff participation, a company’s security posture will be deficient.

10 Reasons Why Employees are Not Applying Policies

In response to policy challenges, we've worked with business leadership and staff to identify the top reasons why employees are not engaging with security policies:

  • Externally developed policies (i.e. not by internal staff/employees)
  • Confusing and complex language
  • Management not involved, roles not defined
  • Dry and boring language
  • Not relevant to business work environment
  • Outdated (have been on the shelf for several years)
  • Staff does not understand need for policies
  • No time provided to read policies/text is not relevant
  • Leadership does not enforce standards/no consequences for not following policies
  • Insufficient resources to execute policies

Designing Policies that Engage Employees

Getting all of your employees engaged with your policies might seem like an impossible task, but don't give up quite yet! To improve policy development speed, implementation, use, and buy-in, incorporate these critical variables:

  • Compliance Mapping: Map Policy documents to over 100 controls required by DFARS 252.204-7012, including NIST SP 800-171 requirements
  • Background, Purpose and Scope: Establish context, set clear goals and expectations of the policy, and describe what the policy encompasses.
  • Key Procedures: Write easy to understand procedures that describe activities. Note: This is not a detailed step-by-step implementation instruction.
  • Schedule: Establish an overall timeline and include; all security activities, individuals assigned to the activities, and activity frequency. This is a living document.
  • Shared Accountability: Require each staff member and consultant to read the policies. Each person must attest to reading and understanding the policy. Distribution is annual and updates should be distributed when policy changes are implemented.
  • Violations: Violations of information security policies have consequences. Consequences may be at the business or employee level. Employees must understand that not following policies will also have personal consequences.
  • Ownership: Identify a Policy Owner to answer questions about the policy.

In addition to the basic policy requirements listed above, we recommend including the Center for Internet Securities (CIS) 20 controls. The controls are updated every few years and can be found for free download at https://www.cisecurity.org/controls/. It is generally accepted that these controls address 85% of the cyber threats companies face.

Do your policies include these security controls? If not, you have a likely security gap and will need to make decisions and codify them in your new or revised policies.

The Role of Policy Development in Compliance
December 19, 2024 at 9:00 AM
Zero trust policies are essential for proper compliance and security

Businesses today are under relentless pressure to protect their security and maintain compliance. Cybercriminals are growing more sophisticated, and traditional defenses are no longer enough. The need for carefully developed policies that protect data, systems, and operations has never been more urgent.

One strategy that’s gaining traction is the adoption of zero trust policies. For businesses that demand clear, actionable results in compliance and security, zero trust provides a framework that mitigates risk and strengthens security posture.

At It's Just Results, we collaborate with business leaders who value efficiency, clarity, and real outcomes. Understanding zero trust and embedding it into policy development can mean the difference between effective security and catastrophic breaches.

What Are Zero Trust Policies?

Zero trust policies operate on a straightforward principle: "never trust, always verify." This model assumes that no user or device—whether inside or outside the network—is trustworthy by default. Instead, access is granted only through continuous verification and strict controls.

Unlike traditional security models that rely on a defined perimeter, zero trust treats threats as both internal and external. Each access request is evaluated independently, ensuring that only verified and authorized users can reach sensitive data or systems. This approach minimizes the potential impact of a breach and reduces vulnerable entry points.

The Connection Between Policy Development and Compliance

Compliance means adhering to regulations, safeguarding sensitive data, and ensuring that systems meet established standards. Without a clear policy development process, maintaining compliance is next to impossible. Policies dictate how an organization handles security, data privacy, and risk management.

Zero trust policies are pivotal to modern compliance strategies. Regulations such as GDPR, HIPAA, and CMMC demand rigorous da ta protection and controlled access. Zero trust helps businesses meet these requirements by:

  • Enforcing Secure Access Controls: Granular access policies ensure sensitive data is only available to authorized individuals.
  • Reducing Breach Risk: Continuous verification of users limits the chance of unauthorized access and compliance violations.
  • Creating Audit Trails: Zero trust emphasizes logging and monitoring, providing detailed records of who accessed what data and when—crucial for audits.

Key Elements of Zero Trust Policy Development

Developing zero trust policies goes beyond technology. It requires a structured approach that aligns security goals with compliance needs. Here are key elements to consider:

  • Identity Verification: Authenticate every user and device before granting access. Multi-factor authentication (MFA) and role-based access controls (RBAC) are essential.
  • Least Privilege Access: Restrict users to only the data and systems they need to do their jobs. This limits the potential damage from compromised accounts.
  • Continuous Monitoring: Real-time monitoring detects anomalies quickly. Continuous verification helps catch threats before they escalate.
  • Microsegmentation: Divide networks into smaller segments. If one segment is compromised, microsegmentation stops the breach from spreading. Each segment has its own access rules.
  • Policy Enforcement and Review: Zero trust policies must be reviewed and updated regularly. As business needs and threats change, so should your policies.

How Zero Trust Policies Deliver Results

For business leaders focused on compliance and security, zero trust policies offer a straightforward way to achieve both. By eliminating blind trust and enforcing continuous verification, zero trust reduces risk, safeguards data, and supports compliance with industry regulations.

At It's Just Results, we know you need solutions that are practical, affordable, and effective. Zero trust policies aren't about adding complexity; they simplify security by making trust explicit and verifiable. This no-nonsense approach helps you meet compliance requirements without the confusion of convoluted frameworks.

Partner With It's Just Results

Outdated policies leave you vulnerable. Embrace zero trust and create a resilient, compliant business environment. Contact us today to discover how we can develop zero trust policies that get the results you need.