CHAPTER 4: INDICATIVE CONTENT – IT Induction and Information Security Awareness

CHAPTER 4:
INDICATIVE CONTENT

Having established the case and audience for IT Induction, this chapter will look into the programme in more detail, suggesting content that you may adopt or adapt to your own organisational needs. At this point, it often helps to be reminded of the aim of the programme. For example:

To inform system users of: the IT facilities and services that are available to them; current IT policies and guidelines; and to endorse individual responsibilities and working practices whilst using the organisation’s information systems.

How can we now turn this into practical content? It is probably easier to imagine yourself as a new user in the organisation. So typically you might want to know how to gain access to the information system(s), what resources you will have available, and if there is anything you specifically should, or should not, do whilst using the system(s).

The following provides a number of broad headings to help you get started and are not intended to be definitive.

System access

The new user will probably want to know:

• Their username and password.

• The password policy; for instance, the strength of passwords, and how and when they should change their password.

The organisation may also want them to know:

• That the Acceptable Use Policy is in operation once they gain access to the organisation’s information systems.

• Organisational policy or guidelines on constructing and remembering passwords, and who to turn to for help when they forget their passwords or discover a need to share resources protected by passwords. It may help to observe user behaviour with regard to password management, for instance if ‘sticky notes’ decorate monitors with reminders, does this habit also include jotting down usernames and passwords? Paperless offices may not have this problem; however, could the digital equivalent present similar risks?

• How to secure active network sessions when the user needs to be away from their computer.

• About any ‘lock out’ policy that is in place. For instance, after being unsuccessful at gaining access to the system on three attempts, does the system lock the user out, considering them to be a threat? If so, the user will need to know what they have to do to unlock their account.

System resources

Once a new user has gained access to the system they will probably want to know:

• The desktop productivity tools that will be available to them. For instance, does the organisation provide Microsoft® Office? If so, what version and which applications?

• The organisational policy on gaining access to non-standard applications and specific corporate systems.

• The file storage facilities they have, and whether there is a standard filing structure and limits to the file store.

• About IT training and support provision. If these services are available, how can they access this resource or service?

The organisation may also want them to know:

• That unauthorised access to system resources is subject to the Computer Misuse Act 1990.

• That personal information that can identify a living individual is subject to the Data Protection Act 1998, and to inform the user who has the role of Data Protection Officer within the organisation.

• Organisational policy on transferring data from the system to a portable storage device. For example, what is the policy on USB memory stick use?

• Organisational policy or guidelines on bringing data into internal systems from an external location, including anti-virus policy or guidelines.

• Organisational policy or guidelines on sharing data storage locations and collaborative working arrangements.

• Organisational policy on the use of spreadsheets to model or store corporate data.

• Organisational printer policy. This may include eco-friendly printer use, confidential printing and overall good practice.

• Any associated clear desk policies or recommendations to support data confidentiality.

Connectivity

More common these days is the requirement for users to mix and match their home and work environments, including using their personal equipment. Whilst some organisations have clear and indisputable policies on this, others may not.

A new user may want to know:

• Whether they can use their own personal computer equipment, either on or off the organisation’s network, including their use of mobile phones, PDAs or personal printers.

• The telephone systems that are in use, how to get help in using them, and whether they can synchronise their personal and work contacts through the systems provided.

The organisation may also want them to know:

• Organisational policy or guidelines for home and mobile working.

• Whether taking personal calls during working hours, or in certain working environments, is permitted or restricted.

• How to physically secure their mobile equipment.

E-mail

It is generally a given that all users will be provided with an e-mail account to conduct their business. Although hard to imagine in today’s connected society, there may be a few exceptions where the user’s role in the organisation will exclude this facility.

Most organisations will have their own domain names and e-mail systems. This provides more security for communication and endorses the corporate brand, and should therefore prompt good working practice guidelines.

The new user will probably want to know:

• Their internal and external e-mail address.

• The e-mail system that the organisation uses, and how they can get help in using it.

• Details of standard distribution groups or mailing lists.

The organisation may also want them to know:

• Privacy expectations.

• About any e-mail storage quotas in operation.

• About general or specific netiquette rules, especially with regard to corporate brand and communication policies.

• The organisational policy or guidelines on whether they are allowed to send personal e-mail from their business e-mail address.

• Whether accessing their personal e-mail from work is permissible or restricted to certain times, for instance to coincide with lunch breaks.

• Instant Messaging facilities and restrictions if appropriate.

• About how the ubiquitous nature of e-mail often presents itself as an informal form of communication and therefore to remind users that contracts can be made or broken via e-mail, and also that the contents of an e-mail can be used in litigation.

• That should the content of an e-mail identify a living individual, then it may be subject to the Data Protection Act 1998.

• That an e-mail sent, accessed or altered by an individual masquerading as someone else is illegal and subject to the Computer Misuse Act 1990.

• About any restrictions on sending and receiving file attachments, including compatibility issues between software versions, and practical tips on how to avoid these.

• The threats from phishing scams and spam attacks and what mechanisms the organisation has in place to reduce these threats. The new user should know through IT Induction, initially, how to handle these types of e-mail threats, and equally be aware of the consequences of being a perpetrator of such communication malpractice.

Web facilities

Increasingly, organisations have internal and external web-based systems, which may have restricted or controlled access. The IT Induction programme is an ideal opportunity to inform the users of web resources that are available to everyone, and where to find out about restricted resources, if appropriate.

The new user will probably want to know:

• How to access any intranet and/or extranet the organisation has, and who has content responsibilities.

• About the organisation’s public website and who is responsible for its content (although this is often discovered in preparation for the interview).

• Whether the organisation has any collaborative or social networking sites. If so, where to find out about the rules of engagement.

The organisation may also want them to know:

• What is permissible regarding personal surfing and e-commerce, and perhaps a brief caveat on international law in this respect.

• Details about any web filtering that is in place.

• Good practice guidelines on accessing multimedia via the Internet.

• The user’s responsibilities relating to the Copyright, Designs and Patents Act 1988.

• What is permissible and appropriate regarding downloading of materials and the increasing threat from malicious software.

• The importance of corporate branding, and where to find out about marketing and branding information.

• The issues for the individual and the organisation that may result as a consequence of providing personal or business details on public websites.

Health and safety

Generally, new staff don’t have this item on their agenda, assuming modern office equipment will meet all health and safety requirements. However, they should be reminded of what they can expect the organisation to provide for them, and what the employer will expect from them in terms of how they use the equipment provided. This is quite clearly described in The Health and Safety at Work Act 19945.

IT services

It is helpful to inform new users as to whether the organisation has an IT department and, if so, the services it provides.

The new user will probably want to know:

• How to contact the Service Desk (aka User Support or Help Desk) and their hours of operation.

The organisation may also want them to know:

• Whether Service Desk is a single point of contact for all IT enquiries; if so, the contact details should appear regularly throughout the IT Induction material. Alternatively, you will want the new users to know what IT services are available and how to access them.

Whilst this chapter has suggested appropriate content for an IT Induction programme, it is important to keep both the content and its level of detail in perspective. A lengthy and detailed IT Induction is likely to be overwhelming for a new user and unlikely to be memorable. Conversely, a brief IT Induction may leave the new user with too many questions rather than answers, which will not only result in frustration but could also create a poor first impression. Getting the content just right is not always easy, and one way to judge what is needed is to exercise reflective practice through evaluations, observations and talking to users. Service Desk experience can also provide some valuable insight into users’ difficulties or lack of understanding, all of which should then be used to refine the IT Induction programme.

Recommended reading

Data Protection Compliance in the UK, Jay R and Clarke J, IT Governance Publishing Ltd (2008) ISBN: 9781905356492.

IT Regulatory Compliance in the UK today, Calder A, IT Governance Publishing Ltd (2007) ISBN: 9781905356270.

Also visit the following websites:

The Information Commissioner’s website at www.ico.gov.uk.

The Office of Public Sector Information at www.opsi.gov.uk.