Employee information security policies impose obligations on employees of organizations which aim to reduce the risks of cyber-attacks. Such policies usually contain instructions on how to choose strong passwords, apply patches and updates, detect phishing schemes, protect sensitive information, and respond to information security incidents. There is an abundance of online materials about how to draft a comprehensive employee information security policy. However, many of those materials do not address the disadvantages of such policies.
The purpose of this article is to provide tips on how to draft employee information security policies which are not only comprehensive but also efficient. More particularly, this article suggests authors of such policies NOT to require the employees of their organizations to use excessively strong passwords (Section 2); read complex documents (Section 3); obtain explicit permissions from the IT security team for transactions having low risks (Section 4). At the end of the article, we provide a conclusion (Section 5). If you would like to read the entire article, please click here.