The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/624538
WWW.ILTANET.ORG 9 about the employee who thinks he might have breached sensitive or protected information? How does he figure it out? Who does he contact? I like to use a decision tree for this type of communication. This easy-to-read format has plenty of white space and feels less intimidating than a dense, text-heavy document. This is useful in that critical moment when an employee is anxiously trying to determine if she has exposed sensitive data. A decision tree can help employees determine whether they need to report something, to whom and how quickly: Task-oriented, real-world-based communications help ensure that your employees know what they should and should not do regarding information security. These communications are not a replacement for good, comprehensive policies; they communicate your policies in a way that is accessible to employees. Whether you are boiling a 50-page "acceptable use policy" down to digestible pieces or creating an "incident reporting guide" that encourages employees to report concerns to the right people in a timely fashion, getting your communications right requires thought and effort. The results are communications that connect! STRATEGY THREE: THEY HAVE QUESTIONS, YOU HAVE ANSWERS Frequently asked questions (FAQs) are another great way to share policy information with employees in a relatable, real-world way. The key is to consider how employees think. Most often, their questions are framed around a task that must be done. Consider posting FAQs like this to your information security portal or intranet, with links to any policy and learning resources in the answers. Q: Is it okay to put client documents on my personal USB drive? A: To help protect our clients and the firm, our policy does not allow work product to be stored on an unencrypted USB drive. However, we provide encrypted USB drives for this purpose. Call the helpdesk, and we will be happy to get one to you. For more information, review our policy about USB drives [provide link] and our "Using an IronKey Encrypted USB Drive" guide [provide link]. STRATEGY FOUR: GET GRAPHIC Policies are not the only complex documents we need to communicate to employees. "Incident reporting" documentation is often complex and usually focuses on IT processes. What STRATEGY TWO: FASTER THAN A SPEEDING BULLET…POINT Bullet points are an effective way to break down large amounts of information into quick hits. They are easier on the eyes, with more white space to help you feel like you are reading less information. Within a comprehensive policy document, use a bulleted list to create an executive summary-style resource for individual topics. For example, I recently reviewed a seven-page "mobile device use" policy. To help employees find the information they needed quickly, we inserted a five-point summary at the beginning of the policy: Mobile Device Use Policy Summary Note: Reading this summary is not a substitute for reading our entire policy. • If you are connecting your mobile device to firm resources, you must have our mobile device management software installed on your device. • We require a four-character passcode on any mobile device connecting to firm resources. This setting is enforced by our mobile device management software. • We require a screen-lock setting of no more than 10 minutes. This setting is enforced by our mobile device management software. • If your device connects to firm resources and is lost or stolen, report it to our 24/7 helpdesk as soon as possible, and no more than four hours after discovering the device is missing. • The firm reserves the right to erase all firm data from lost or stolen devices at its discretion. Keep your summary to five or fewer bullet points. If you are not sure what the summary should include, consider reviewing helpdesk tickets at your firm: What are the questions employees ask time and again? These are the policy answers your employees need quickly. No, stop No, stop Yes/Maybe Qualifying ? Qualifying ? Qualifying ? Qualifying ? Scenario #1 Scenario #1 Call IT for Help Good to Go No Scenario #2