Hey there! Let's chat about a super important security control called HRS-02 from the Cloud Security Alliance. This bad boy is all about making sure your employees know what's cool and what's not when it comes to using company tech. We're talking policies and procedures that spell out the do's and don'ts in a way even your intern can understand.

Where did this come from?

This juicy tidbit comes straight from the CSA Cloud Controls Matrix v4.0.10 - 2023-09-26. You can grab your very own copy to impress your friends at https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4. The CCM is chock-full of other controls too, so check it out.

For some extra credit reading, peep AWS' documentation on their Acceptable Use Policy: https://aws.amazon.com/aup/

Who should care?

• CISOs with responsibility for managing employee use of technology
• HR managers with a need to communicate acceptable use to the troops
• Department heads with a desire not to get pwned due to Jim in accounting clicking sketchy links
• Employees with company laptops and a history of 'misclicks' on the darker corners of the interwebs

What is the risk?

Not having a crystal clear acceptable use policy is like leaving your front door wide open with a neon 'rob me' sign. It's an open invite for:

• Data leakage when Judy downloads confidential files to her ancient malware-ridden home PC
• Reputational damage when Dave decides to troll competitors from the official company Twitter
• Malware infections when curious George opens that 'you've won a prize' email
• Lawsuits when Meg is busted selling company secrets on the darkweb

A solid HRS-02 implementation significantly reduces the likelihood of these face-palm moments by telling people what's off-limits. No guarantees Meg will listen, but at least you can say 'I told you so' as security escorts her out.

What's the care factor?

On a scale from 'meh' to 'drop everything and implement this now', HRS-02 rates a solid 'put down the TPS reports and pay attention'. Why? Because your employees are your biggest asset, but let's be real, they're also your biggest liability. All it takes is one oopsie and suddenly you're on CNN explaining how an employee uploaded ransomware thinking it was a Minecraft mod. An ounce of acceptable use prevention is worth a pound of incident response cure.

When is it relevant?

HRS-02 is clutch if you have:

• Employees (congrats! you're relevant)
• Company tech like laptops, phones, email, Slack (basically every company ever)
• Confidential data you'd rather not see on WikiLeaks
• Auditors/regulators who expect you to have your act together
• Desire to not be the next Equifax/Target/insert-breach-victim-here

If you're a one-person startup living in your mom's basement, you can probably skip this one for now. Otherwise, hop to it.

What are the trade-offs?

Locking down use of company tech makes InfoSec happy, but employees may grumble about lost 'freedom'. Especially when you block social media or that sweet online game everyone's addicted to. HR will also need to invest some calories communicating and enforcing the policies. And IT may need to implement controls like web filtering and DLP. But hopefully preventing a breach or two makes the effort worthwhile.

How to make it happen?

Ready to get your acceptable use game on point? Follow these steps:

1. Dust off your current acceptable use policy (or write one if somehow you don't have one already). Make sure it covers:
   • Expected security behaviors (No password sharing! Encrypt sensitive data! Don't be click-happy!)
   • Prohibited activities (No hacking! No harassment! No hogging all the bandwidth to stream Tiger King!)
   • Monitoring practices (Yes, IT can see your browser history, even in incognito mode!)
2. Have Legal bless it to ensure you can fire Meg if she tries to pull a fast one
3. Shove the policy in front of every employee's face and make them sign it. Bonus points for gamifying it with a quiz!
4. Train your peeps on what it all means. Use relatable examples like 'TikTok at work, bad! Encrypting customer data, good!'
5. Implement technical controls to enforce the really important bits, like blocking file uploads to shadow IT services
6. Review and update annually, or whenever something wonky happens, like half the sales team falling for that gift card scam

What are some gotchas?

Make sure your policy complies with any relevant laws or regulations for your industry/location. Europe in particular has some strict privacy rules to navigate.

Certain roles may need exemptions for legit business reasons. Like letting your social media manager doomscroll Twitter. Document those carveouts.

Some key technical controls to consider:

• Web filtering to block sketchy sites (needs dns:Get* permissions) - https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html
• DLP to catch data exfiltration (needs s3:GetObject, ec2:CreateTags) - https://docs.aws.amazon.com/dlp/latest/developer/what-is-dlp.html
• Monitoring user activity (needs CloudTrail enabled) - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html

What are the alternatives?

You could just toss some computers to your employees willy-nilly and pray for the best. Let me know how that works out for ya. Otherwise, HRS-02 or bust!

Explore further

• CIS Critical Security Control 17 - just in case you want even more policy goodness - https://www.cisecurity.org/controls/implement-a-security-awareness-and-training-program/
• NIST SP 800-53 PL-4 - if you're a govie or just a compliance masochist - https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PL-4
• SANS Acceptable Use Policy Templates - for the overachievers out there - https://www.sans.org/information-security-policy/

There you have it! Go forth and acceptably use all the things. And remember, with great technology comes great responsibility. Or something like that. Happy policy making!

‍