PUTTING IT INDUCTION IN PERSPECTIVE
Do you find the terms IT Induction and IT Introduction being used interchangeably? If yes, then it is also likely that you will have new employees in your organisation who, being IT competent, are wondering why they need to attend an IT Introduction programme, and are most likely raising objections at such a proposition. Understandably so. If you are not experiencing a conflict of these terms then you are in an enviable position.
Introduction is about a first experience of a subject or activity, so you would expect an IT Introduction programme to focus on instruction on how to use IT, a skills-based training event for instance, and unlike induction, an introduction has a conclusion, an end point.
Induction on the other hand is less open and closed because it is educational in nature and focuses on expected behaviour as much as it does on sharing knowledge, and has little relationship to IT competencies. The aim of any induction process is to help new employees make a smooth and informed transition to their new workplace, ensuring all the basic information they need is available to them, so they are in a position to adapt quickly to their new role.
This pocket guide refers therefore to IT Induction as an educational programme or activity that informs staff within an organisation about the IT3 facilities and services available to them, brings their attention to current IT policies and guidelines, and emphasises individual responsibilities through good working practices.
So what is the relationship between IT Induction and Information Security Awareness?
Information Security is fundamentally about safeguarding information, and is based on the CIA principles:
• Confidentiality: ensuring information can only be accessed by those who are authorised to do so.
• Integrity: ensuring the information is accurate and can be trusted.
• Availability: ensuring the information is available when it is needed.
Hence, Information Security Awareness focuses on the user’s responsibility, to ensure that good working practices are adopted under these broad principles, thereby reducing the likelihood to the organisation (and to some extent the individual) of legal, financial and reputational risk. Figure 1 shows how Information Security Awareness becomes an integral part of a holistic IT Induction programme.
From Figure 1 it can be deduced that either removing or limiting any of the elements of the IT Induction programme will have the overall effect of reducing the Information Security Awareness impact, which would not only be a missed opportunity, but may also prove to be a costly one.
How does an ICT Code of Conduct fit with IT Induction?
An employee ICT Code of Conduct or Acceptable Use Policy (AUP) is a document that sets out certain rules and guidelines that an employee is expected to follow whilst using the organisation’s information systems, and will indicate what would constitute an infringement of these guidelines and the penalties of doing so. Depending on the organisation, the employee may be required to sign the Code of Conduct as part of their employee contract or before being given access to the organisation’s information systems. Consequently, the ICT Code of Conduct sits within the IT Policies and Guidelines element of IT Induction, as shown in Figure 1, and is therefore an integral part of the programme. It would thus make logical sense for a new employee to undertake the IT Induction programme prior to signing the Code of Conduct, as this will give the document more significance.
In summary, this chapter has distinguished between IT Introduction and IT Induction. It has indicated three key content areas for the IT Induction programme, and shown how these overlap to bring about integral Information Security Awareness opportunities into the programme.