Slack for Security - How to do Policy Acknowledgements in Slack

Travis Good
July 5, 2022

What policy acknowledgments matter?

Your policies and procedures are the backbone of your information security, privacy, and compliance program. Everything else - configurations, tools, etc - should be built on top of your policies or should be created based on them. Consistency and transparency from policy and procedure through actual settings, tools, and configurations (day-to-day) is required.

The challenge is that employees, the people that do the day-to-day stuff, are often not the people that write or maintain the policies and procedures. This disconnect between who owns the policies and who implements and follows them can create problems, including security incidents.

Policy acknowledgements are required

Because of the importance of policies to a functioning information security program, policy acknowledgement is a common process all employees must follow. Policy acknowledgement is also required by most audit and regulatory frameworks like HIPAA and SOC 2. Ideally, employees don’t just acknowledge having read policies but actually understand them and can apply them to their job. For the purpose of audits, acknowledgement is the check the box event.

Most companies do policy acknowledgement at onboarding for new employees and then annually thereafter. Because this is the same schedule many companies use for security awareness training, policy acknowledgement is often bundled with security awareness training. Though this is industry standard, it’s important to educate employees on policies that change and get them to acknowledge learning about the policy changes, even if those changes fall outside the typical annual cadence.

Doing policy acknowledgements in Slack

Slack can be used for policy acknowledgement though it does not scale well. The way we’ve seen it done is by sending an announcement to a channel or group or all of Slack. This announcement message should include context about the policy or policies, a link to the full content of the policy, and then directions on how to comment on the announcement message to acknowledge having read and understood the policy.

This is a somewhat janky process that tends to only work for companies with less than about 20 employees. Even with small companies, this process doesn’t generate the type of evidence that an auditor is used to seeing, making your job harder at audit time.

Doing policy acknowledgements in with Haekka in Slack

At Haekka, we love Slack. We built Haekka to create a centralized place for security in Slack or, as we like to call it, a security HQ in Slack. A key function of a security HQ is the ability to do policy acknowledgements. Our custom content feature makes doing policy acknowledgements in Slack simple and powerful.

Haekka has functionality that makes policy acknowledgements:

  1. Simple to create for admins and managers. You can do it ad-hoc or put in on auto-pilot by making policy acknowledgements recurring on an annual basis.
  2. Fast and easy for employees. No jumping out to other tools required. No new logins. 100% in Slack.
  3. No more nagging. Haekka handles notifications. Set a due date for your policy acknowledgements and Haekka will take care of reminding your employees until they get it done.
  4. Beautiful, complete evidence for audits and auditors. We create all the documentation you need for your audits. Your auditor won’t ask for any follow-up.

There are actually 2 ways to do policy acknowledgements in Slack with Haekka.

  1. Create a policy acknowledgement course (or add policy acknowledgement as a lesson for your security awareness training). You can either create links to your policies or your can put the actual content of the policy into Haekka. If you choose to put the content into Haekka, Haekka seamlessly becomes the home of your policies and procedures.
  2. Create a policy acknowledgement Engagement. We recommend this for ad-hoc policy announcements and acknowledgements. The use case is usually a new policy or significant change to policies. It’s simple and fast (think it is done in under 10 minutes).

We created a video to show how easy it is to create, assign, and complete a policy acknowledgement using Haekka in Slack.

—-

At Haekka, we use our own app to do policy acknowledgements. It is the easiest way we’ve found to do them.

Policy acknowledgements also fit well in a security HQ besides security awareness training, regular Engagements from the security team, and weekly bite-size Streams of content.