Iran’s internet shutdown has reduced connectivity by 99 percent, with air strikes likely causing additional outages, and few workarounds remaining.

Security Latest – ​Read More

Part 2 of a series on creating information security policies

Many breaches don’t start with sophisticated hackers; they start with ordinary users doing ordinary things in unsafe ways. Let’s look at 3 ways to work toward helping people in our organizations understand better how to safeguard everyone’s information.

Because there are as many ways to create a policy as there are organizations – compounded with the numerous requirements from regulations – I won’t attempt to provide a one-size-fits-all policy for each of these. Part of the process of becoming a professional with policies is learning about all the options while also satisfying the requirements of your org. I’ve provided several links in the Resources section at the end of this article so you can check out options if you need inspiration or a headstart.

1)   Acceptable Use Policy

This policy defines how employees and contractors may use company systems, networks, and data. It sets boundaries for acceptable behavior and reduces ambiguity during investigations.

2)   Security Awareness & Training Policy

This establishes requirements for onboarding and ongoing security education. The goal isn’t perfection, but consistent, informed, job-role appropriate activities. Often, this needs to be hand-in-hand with Human Resources to ensure proper coverage for the lifecycle of one’s employment, from recruiting to offboarding.

3)   Remote Work Policy

The remote work policy addresses security expectations for working outside controlled environments, including device security, network usage, and data handling. This policy should also include considerations – even if they’re not specifically names – for children, pets, bystanders, visitors to the home, accidental spills, etc. It’s not that those things are inherently bad, but they pose risks to corporate and customer information and equipment.

NOTE: I’m acutely aware of the sense that those not in infosec tend to see those in IT and Security roles as experimenters and gearheads who only think of people as users, weaknesses, statistics, and other non-human aspects. Much of that is the habit of those ITSec folks to bring the language of tech (users, roles, risks, vulns, authn/authz, access control, etc.) into the realm of humanity. While policies often require generic or technical language, don’t let that spill over into your interactions with others. They are people, not policies and procedures.

People as the Primary Attack Surface

When it comes to cybersecurity, technology often receives the spotlight – firewalls, encryption, and intrusion detection systems all play starring roles. Yet in reality, people remain the most frequently targeted component of any security environment. Attackers know this well. Phishing, social engineering, and misuse of access continue to outperform exploit kits and zero-day vulnerabilities because people can be persuaded where software cannot. (Note: this is because people care and want to be helpful, unlike software. This is NOT because people are “the weakest link.” Let’s give people proper credit.)

Information security policies that address human behavior must treat employees not as weak links, but as critical defenders. The goal is not to eliminate human risk, but to manage it through clear expectations, knowledge, and culture. The Acceptable Use Policy (AUP) becomes a foundational layer in this effort. It defines what constitutes responsible system use and outlines the boundaries that protect both data and users.

At its core, the AUP states that organizational systems and data are for authorized business use only. Employees are custodians of the company’s digital – and even physical – environment, expected to handle information and technology in alignment with established policies. That means things like refraining from downloading unauthorized software, connecting to the network with unauthorized gear, exfiltrating data, and attempting to bypass security controls. These aren’t arbitrary restrictions – they’re practical safeguards against both internal mistakes and external threats.

Because businesses are in the business of protecting customer data, using a corporate computer is not like being on a home computer for personal use.

Setting Expectations Without Over-Policing

A well-crafted AUP shouldn’t read like a list of punishments; it should set clear expectations while permitting people to make smart decisions. (although, ironically enough, the list is primarily “here’s what is UNACCEPTABLE” instead of what’s acceptable). Overly rigid language can create fear or confusion, leading to either apathy or deliberate workarounds. An employee who disables a security control because a system blocks legitimate work isn’t being malicious (well, not always – beware) – they’re trying to be productive, perceiving that their need for productivity is more important than the friction caused by controls. That tells us policy enforcement should blend accountability with compassion.

Leaders can foster this balance by emphasizing why the policy exists. When staff understand that each safeguard protects customer trust, intellectual property, and even their own reputations, compliance becomes an act of shared responsibility. This cultural framing turns “rules to follow” into “safeguards we all benefit from.”

In practical terms, managers should reinforce that acceptable use extends beyond the brick-and-mortar office. The modern workplace is fluid – remote work, mobile devices, and cloud collaboration all expand the security perimeter. Employees working off-site must – as appropriate to their org’s resources:

• Use only approved, managed devices
• Connect through secure networks (VPNs or trusted Wi-Fi)
• Ensure business data isn’t accessible to unauthorized individuals.

No company is the same, and not all companies can provide the best protection available in the world. The main infosec approach is to do the absolute best you can to make device and data security feasible – and much of that “best” is people doing their best, both in creating the controls and creating the proper environment for people to understand the purpose of the controls.

Simple lapses – e.g., allowing strangers to shoulder surf, discussing sensitive information in shared spaces – can have the same impact as major breaches. Clear expectations, reinforced through relatable examples, reduce the likelihood of such incidents without creating undue friction.

Training as a Control instead of a Checkbox

Security awareness training often suffers from poor framing. Too many organizations treat it as a compliance requirement – a box to tick during onboarding or annual reviews. That approach misses the real purpose: to equip staff with actionable insight they can actually use.

Training should be viewed as a control measure just like multi-factor authentication or an access log. It directly reduces human error and strengthens resilience against common attacks. Effective programs share several traits:

Timely delivery: Training must occur at key moments — during onboarding, before role transitions, and annually for reinforcement.

Interactive learning: Scenario-based modules and phishing simulations help people apply theory to practice.

Real feedback: Employees benefit when simulations provide clear explanations of what went wrong, not just pass/fail scores.

Leadership participation: When executives take part, it signals that security isn’t just an IT function; it’s a business priority.

Phishing simulations deserve special mention. They are not designed to catch employees off guard or shame mistakes but to raise situational awareness in safe conditions. Just as fire drills teach evacuation procedures, simulated phishing tests teach response habits: pausing before clicking, checking sender authenticity, and reporting suspicious messages.

Critically, organizations must frame these exercises as learning opportunities, not traps. Employees should feel empowered to ask questions and report close encounters without fear of reprisal. Always provide an easily accessible channel for communicating. Building this trust transforms training from an obligation into an ongoing dialogue.

Bringing It All Together

The convergence of human behavior, policy, and culture defines an organization’s security posture far more than any individual control. The Acceptable Use Policy and security training requirements provide structure, but it’s the united mindset that determines effectiveness.

By acknowledging human risk as the central attack surface, policymakers can shift from reactive enforcement to practical engagement. Policies become meaningful when employees understand their “why.” Training becomes meaningful when it changes real-world decisions. Together, these efforts anchor a culture of responsible technology use rather than mere rule compliance.

The goal isn’t to regulate every keystroke, but to ensure that everyone recognizes their role in safeguarding the organization’s digital assets. A culture that prizes awareness and accountability, and builds trust, will always outperform one that relies solely on controls.

In an environment where every click matters, encouraging people to act securely is the most effective defense of all.

Stay vigilant and safe!

Resources

Therefore, here are several places where you can find numerous policy templates to learn, get ideas, investigate, and modify relevant ones as needed. Happy hunting!

https://heightscg.com/2025/11/14/information-security-policy-templates/

https://heimdalsecurity.com/blog/nist-cybersecurity-framework-policy-template-guide/

https://www.cisecurity.org/controls/policy-templates

https://github.com/HailBytes/security-policy-templates

(NOTE: This downloads the PDF right away) https://www.azed.gov/sites/default/files/2023/03/04.%20Template%20Security-Awareness-and-Training.pdf

(NOTE: This downloads the Microsoft Word file right away) https://community.trustcloud.ai/kbuPFACeFReXReB/uploads/2023/03/ISO-27001_2022-Information-Security-Management-System-ISMS-Policy-Template.docx

https://policy.arizona.edu/information-technology/information-security-awareness-training-policy

https://blueteamalpha.com/resources/security-awareness-training-policy-template/  

https://claude-plugins.dev/skills/@diegocconsolini/ClaudeSkillCollection/cybersecurity-policy-generator

https://www.sans.org/information-security-policy

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1300.pdf

https://github.com/PehanIn/ISO-27001-2022-Toolkit

https://github.com/simplerisk/templates

https://github.com/JupiterOne/security-policy-templates

Secjuice – ​Read More