CHAPTER 7: IT INDUCTION – A ONE TIME ONLY EXPERIENCE? – IT Induction and Information Security Awareness

CHAPTER 7:
IT INDUCTION – A ONE TIME ONLY EXPERIENCE?

Throughout this pocket guide there has been the suggestion that IT Induction is a one time only experience for new users. However, if the content of your IT Induction goes beyond informing users of file storage locations, and has a good information security element, it is worth considering ways in which users could revisit IT Induction, in so doing reinforcing user responsibilities and good working practice. Here are four scenarios where revisiting the IT Induction may be appropriate in your organisation:

• Revisiting the IT Induction could be timed around staff annual appraisals, and you may even consider making this an essential part of the appraisal process.

• Opportunities to encourage, or mandate, a revisit to IT Induction may arise in situations where staff are moving from one location in the organisation to another, especially if the IT platform or facilities are different.

• IT Induction would benefit those staff who have returned to work from a long period of absence, for instance maternity leave, or long-term sick leave, and it may be opportune to mandate this prior to re-initiating their user account.

• It is a sad fact that in any organisation there will be staff who defy organisational policy and procedure or take advantage of the IT systems. In these circumstances, especially where the misdeed is not too serious, an insistence on revisiting the IT Induction and Information Security Awareness programme may be an apt outcome.

These scenarios suggest IT Induction is not really meant to be a one time only experience for users. But what about those involved in its development; is it a one time only experience for them? To answer this question let us revisit the diagram introduced in Chapter 1, which is reproduced below.

Figure 2: The relationship between the elements of an IT Induction programme and information security

It seems unlikely that any one of these elements will remain static over time. For example, a change in IT service provision, for instance, enabling or disabling the use of USB storage devices, will necessarily have an impact on IT Policy and Guidelines and working practice recommendations, all of which will have an impact on information security, which you may recall from Chapter 1 revolves around the confidentiality, integrity and availability of your data.

Therefore, given the dynamic IT environment in which most of us work and live, those involved in the development of IT Induction and Information Security Awareness programmes should expect to revisit the programme on a regular basis to ensure it is still fit for purpose, whilst tutors will be required to keep their knowledge and understanding current, if they are charged with the responsibility of disseminating this information.

In summary, it is important to remember that IT Induction and Information Security Awareness is about keeping your organisation’s data safe, protecting personal data and safeguarding the organisation’s brand through educating your users not only in good IT working practices but also in encouraging organisation-wide responsibility. To achieve this, your IT Induction and Information Security Awareness programme must be accessible, relevant and up to date, and for these reasons alone it is unlikely to be a one time only experience for the author, or the recipients of the programme.