Commentary

It is worth noting that this Clause contains two of the most significant control features of the standard, the education and training of staff and setting contractually, the expected behaviour of anyone with access to organisational resources.

The old saying that ignorance of the rules is no excuse is all very well as a directive for the prosecution of offenders at the subsequent board of enquiry or court case - but I would not rely on it. However, it would have been much better for all concerned if the event had never occurred.

It is essential to ensure that the right staff are employed and that any organisation that is to connect to organisational facilities has a risk assessment carried out n them. All organisations need to ensure that the terms and conditions of access are contractually enshrined and available in case of need.

Having set the information security policy and the organisation to support it, the next stage is to assign management responsibilities and ensure that they train the staff in the detail of how the organisation expects those instructions to be carried out.

The start point and the missing factor in most organisations is the need to recognise the responsibility for security in the initial job description. If an organisation intends to operate a secure environment the need for employees and third parties with access to organisational information processing assets, to appreciate what that implies is paramount. If this is performed before employees or third parties with access to organisational information processing systems then so much the better. As with all commercial skills there will be some degree of trade off when new staff are recruited. It is rare to find the perfect fit in any category but the recruitment process should give the organisation a good idea of the subsequent training targets for each individual. If the organisation expects to handle sensitive information, then the employee's contract should include a non-disclosure agreement and induction training should make sure that they understand what that means.

A well-managed organisation is the one where things do not go wrong, rather than the one where all of the guilty are duly punished. Regular security training for all staff that has any security responsibility is the only way to help them achieve the organisation's information security objectives. There are many organisations where induction training is only done once per year. Anyone who joined in the last year could have spent a long time doing things which left the organisation vulnerable simply because no one told them otherwise. If the organisation is large enough to experience a high volume of new starters then it would be better to arrange induction training at more frequent intervals. If there are very few new starters, it may be worth considering appointing individual mentors who are charged with passing on the good word.

Out-sourcing, downsizing and de-layering are popular terms for reducing the corporate headcount. Organisations that undertake one of these processes will probably also recognise the increase in the use of third party contractors who come and go in order to fill the gaps. This is especially true for IT contractors.

Who spends valuable contractor time on induction training?

Temporary staff, who come and go from an agency, without the organisation even knowing their home address, must be considered as the worst possible risk to your security systems. Either train them or supervise them or don't let them near your sensitive information!

Sadly it is not a perfect world and when breaches of security do occur, for whatever reason, it is important to have an appropriate disciplinary process in place. Too many industrial tribunals fail because the alleged offender was not ware he was not able to ...'

Even more important are the sanctions that can be taken against third parties, which must be enshrined in the contracts that they are employed under as the staff disciplinary process is usually not relevant to them.