Slack for Security - How to do Policy Acknowledgements in Slack
July 5, 2022
Your policies and procedures are the backbone of your information security, privacy, and compliance program. Everything else - configurations, tools, etc - should be built on top of your policies or should be created based on them. Consistency and transparency from policy and procedure through actual settings, tools, and configurations (day-to-day) is required.
The challenge is that employees, the people that do the day-to-day stuff, are often not the people that write or maintain the policies and procedures. This disconnect between who owns the policies and who implements and follows them can create problems, including security incidents.
Because of the importance of policies to a functioning information security program, policy acknowledgement is a common process all employees must follow. Policy acknowledgement is also required by most audit and regulatory frameworks like HIPAA and SOC 2. Ideally, employees don’t just acknowledge having read policies but actually understand them and can apply them to their job. For the purpose of audits, acknowledgement is the check the box event.
Most companies do policy acknowledgement at onboarding for new employees and then annually thereafter. Because this is the same schedule many companies use for security awareness training, policy acknowledgement is often bundled with security awareness training. Though this is industry standard, it’s important to educate employees on policies that change and get them to acknowledge learning about the policy changes, even if those changes fall outside the typical annual cadence.
Slack can be used for policy acknowledgement though it does not scale well. The way we’ve seen it done is by sending an announcement to a channel or group or all of Slack. This announcement message should include context about the policy or policies, a link to the full content of the policy, and then directions on how to comment on the announcement message to acknowledge having read and understood the policy.
This is a somewhat janky process that tends to only work for companies with less than about 20 employees. Even with small companies, this process doesn’t generate the type of evidence that an auditor is used to seeing, making your job harder at audit time.
At Haekka, we love Slack. We built Haekka to create a centralized place for security in Slack or, as we like to call it, a security HQ in Slack. A key function of a security HQ is the ability to do policy acknowledgements. Our custom content feature makes doing policy acknowledgements in Slack simple and powerful.
Haekka has functionality that makes policy acknowledgements:
There are actually 2 ways to do policy acknowledgements in Slack with Haekka.
We created a video to show how easy it is to create, assign, and complete a policy acknowledgement using Haekka in Slack.
At Haekka, we use our own app to do policy acknowledgements. It is the easiest way we’ve found to do them.
Schedule a demo
Get started with a free trial by scheduling a demo today. One of our training experts will walk you through a live Haekka demo.