[Daftasabrush]

Why are they always such utter wank?

I've been 'assigned' a task to 'read, understand and agree to' our company handbook and infosec policies. This is fine in theory, but the fucking things are written by people who clearly don't read the whole lot together, and as such there's so many contradictions it's impossible to agree to! I'll get hounded by my seniors and HR if I don't agree to it but I can't actually agree to it.

According to the handbook and infosec policy:

1) All of my creations belong to the company (coffee table, CD rack, sledge etc) and must be surrendered upon leaving - guarantee they're not talking about these items but there's no distinction.
2) I'm allowed to use company email for personal usage - surprising but fair one
3) I'm allowed to use the internet for personal usage but at a minimum - fair
4) I'm not allowed to download copyrighted work (so what about that pesky browser cache?)
5) Internet usage is for business use only (erm? See point 3)
6) personal mail and personal internet usage must be approved separately (erm? See points 2 and 3)
7) The links to further documents point to a wiki that has since been decommissioned. I am expected to have read and understand these links...
8) The password policy is incorrect, it's totally different to as described.
9) I'm prohibited from connected personal devices to the corporate network (despite this being allowed via VPN and encouraged in my side of the business).

I know it's a box ticking exercise and I know it's all bullshit, but what's the fucking point if they can't even get the document to agree with itself?

[Goneinsixtyseconds]

Quote:

Originally Posted by Daftasabrush

Why are they always such utter wank?

I've been 'assigned' a task to 'read, understand and agree to' our company handbook and infosec policies. This is fine in theory, but the fucking things are written by people who clearly don't read the whole lot together, and as such there's so many contradictions it's impossible to agree to! I'll get hounded by my seniors and HR if I don't agree to it but I can't actually agree to it.

According to the handbook and infosec policy:

1) All of my creations belong to the company (coffee table, CD rack, sledge etc) and must be surrendered upon leaving - guarantee they're not talking about these items but there's no distinction.
2) I'm allowed to use company email for personal usage - surprising but fair one
3) I'm allowed to use the internet for personal usage but at a minimum - fair
4) I'm not allowed to download copyrighted work (so what about that pesky browser cache?)
5) Internet usage is for business use only (erm? See point 3)
6) personal mail and personal internet usage must be approved separately (erm? See points 2 and 3)
7) The links to further documents point to a wiki that has since been decommissioned. I am expected to have read and understand these links...
8) The password policy is incorrect, it's totally different to as described.
9) I'm prohibited from connected personal devices to the corporate network (despite this being allowed via VPN and encouraged in my side of the business).

I know it's a box ticking exercise and I know it's all bullshit, but what's the fucking point if they can't even get the document to agree with itself?

Imo, just sign it. If it's contradictory they'll be hard pushed you collar you for the contradictory parts. If they straighten it out, fix the links, you'll have to adhere to it all. Just keep copies and screen save the links that don't work.

I know a few people who've been had by e-mail policy and internet policy when a company wanted them out, but didn't want to make them redundant or pay notice.

[....,,,,..,,..]

Sounds like a poorly implemented policy.

Also it's not a box ticking exercise.

Enough companies have been hit with Ransomware etc from poor info sec.

Having a decent info sec awareness and training system in place, rather than tedious policies is far better for staff and security in general.

I wrote pretty much all of ours from scratch, non are overly long but are shit reading material.

That's why awareness training is better, you can cover real life stuff.

I have a pet hate of poorly written and ineffective policies (read enough of them), if they can't create a decent policy, how can they have effective controls?

[Soul_Glo]

Clearly the person writing it didn't have the brain or experience. I have written national policies for HMP and clear wording is essential followed and supported by training if required.

[isleaiw1]

Don't sign it. Send it back pointing out some of the contradictions and point out that it is ineffective and needs rewriting and then resigning by every employee. HR will love you...

[ipilcher]

It is very much a box ticking/CYA exercise. If something happens, the executives want to be able to point to the policy and blame the employees for not following it.

[....,,,,..,,..]

Quote:

Originally Posted by ipilcher

It is very much a box ticking/CYA exercise. If something happens, the executives want to be able to point to the policy and blame the employees for not following it.

Not sure if you are deliberatly trolling but the likes of GDPR and general info sec are not box ticking exercises.

For example, physical security, with decent physical security in place you can prevent normal thefts, restrict access to certain areas etc.

Also when properly delivered and with effective controls, a lot can be transposed to a persons private life.

Also statements such as the Exec want to blame the employees, is bit pointless statement, considering the various levels from Temp staff, basic employee to managers and directors before getting to Exec level.

Proper systems provide protection for staff, as clear effective processes if followed make it hard to blame an individual.

Unfortunately a lot of people creating systems and policies fail to realise the basics.

[Daftasabrush]

Quote:

Originally Posted by Brigand

Not sure if you are deliberatly trolling but the likes of GDPR and general info sec are not box ticking exercises.

For example, physical security, with decent physical security in place you can prevent normal thefts, restrict access to certain areas etc.

Also when properly delivered and with effective controls, a lot can be transposed to a persons private life.

Also statements such as the Exec want to blame the employees, is bit pointless statement, considering the various levels from Temp staff, basic employee to managers and directors before getting to Exec level.

Proper systems provide protection for staff, as clear effective processes if followed make it hard to blame an individual.

Unfortunately a lot of people creating systems and policies fail to realise the basics.

A policy that's badly worded is a box ticking exercise so they can go to clients and state they 'have a security policy, blah blah' that's all it is. No policy that contradicts itself so many times is worth anything. Security isn't a box ticking exercise. Shit policies are. We're not talking about proper systems and proper security ideas etc. We're talking about policies that a three year old could write more accurately.

[....,,,,..,,..]

Quote:

Originally Posted by Daftasabrush

A policy that's badly worded is a box ticking exercise so they can go to clients and state they 'have a security policy, blah blah' that's all it is. No policy that contradicts itself so many times is worth anything. Security isn't a box ticking exercise. Shit policies are. We're not talking about proper systems and proper security ideas etc. We're talking about policies that a three year old could write more accurately.

Totally agree if they are that bad, however it should be challenged.

I would politely point out the policy is outdated and likely more of a liability than not having one.

In March 2018 there should not be companies with outdated info sec related policies, not with GDPR 62 days away, however they will be plenty that do not have a clue.

[Daftasabrush]

Quote:

Originally Posted by Brigand

Totally agree if they are that bad, however it should be challenged.

I would politely point out the policy is outdated and likely more of a liability than not having one.

In March 2018 there should not be companies with outdated info sec related policies, not with GDPR 62 days away, however they will be plenty that do not have a clue.

It's been challenged, I was meant to complete this task by the end of the day today but I've not had any response.

[Skwirrel]

Don't sign it if you don't agree with it. They work on the basis that most employees are too scared to challenge it or too stupid to understand what it is they are signing.

I got given a new contract 11 months ago that I still haven't signed. I put a few questions back to HR who never followed up with me, so I didn't chase. Last week I got a separate short confidentially document to sign instead, bizarrely wrapped up in a statement that gives HR permission to give my bank details to the relevant department to pay my expenses. Since I already get paid my expenses just fine I didn't sign that one either.

When I pointed out I haven't signed the contract as I haven't heard anything back from them yet there was some head scratching and ERM...oh shit we haven't done anything about that yet we'll get back to you.

[....,,,,..,,..]

Quote:

Originally Posted by Skwirrel

Don't sign it if you don't agree with it. They work on the basis that most employees are too scared to challenge it or too stupid to understand what it is they are signing.

I got given a new contract 11 months ago that I still haven't signed. I put a few questions back to HR who never followed up with me, so I didn't chase. Last week I got a separate short confidentially document to sign instead, bizarrely wrapped up in a statement that gives HR permission to give my bank details to the relevant department to pay my expenses. Since I already get paid my expenses just fine I didn't sign that one either.

When I pointed out I haven't signed the contract as I haven't heard anything back from them yet there was some head scratching and ERM...oh shit we haven't done anything about that yet we'll get back to you.

I would be careful what you 'do not' sign over next few months.

A lot of companies are having to reissue agreements, documents etc as part of the new elements of GDPR. We recently went through a similar process with 3rd partiy authorisation. Without updated details that are inline with GDPR, things like expenses may not get paid.

[SteveChester]

Quote:

Originally Posted by Brigand

Sounds like a poorly implemented policy.

Also it's not a box ticking exercise.

Enough companies have been hit with Ransomware etc from poor info sec.

Having a decent info sec awareness and training system in place, rather than tedious policies is far better for staff and security in general.

I wrote pretty much all of ours from scratch, non are overly long but are shit reading material.

That's why awareness training is better, you can cover real life stuff.

I have a pet hate of poorly written and ineffective policies (read enough of them), if they can't create a decent policy, how can they have effective controls?

Can you send me what you have written then?

[....,,,,..,,..]

Quote:

Originally Posted by SteveChester

Can you send me what you have written then?

Sure I do reasonable rates.

Minimum contract 3 weeks at £500 per day.

[Daftasabrush]

As an update to this, after going around the houses,talking to the corporate legal team and my own lawyer, I now have my own waiver written which over-rides the company handbook and will remain until removed by both parties and in writing.

It does make me wonder, if they're that willing to roll over and agree to the terms employees set out, why bother with the set terms in the first place? Surely anyone who is likely to be a pain to the company will read things properly like I did? Are they hoping that people don't read it and then agree blindly regardless of their plans?

It honestly baffles me.

[JD6]

Quote:

Originally Posted by Daftasabrush

It does make me wonder, if they're that willing to roll over and agree to the terms employees set out, why bother with the set terms in the first place? Surely anyone who is likely to be a pain to the company will read things properly like I did? Are they hoping that people don't read it and then agree blindly regardless of their plans?

I expect that you would be surprised at the proportion who don’t read it. I once bought an off-plan apartment in London in a development of 500 apartments. I was about the 2-300th person to buy and yet my lawyer was the only one to pick up a bizarre clause in the contract which said something like - if you don’t use your parking space for a period of 3 weeks, you will forfeit your space.

When my lawyer asked for that clause to be struck out, they agreed. It got me wondering how the hell that clause evaded the hundreds of people who had bought before me. It turned out that the vast majority had used the developer’s recommended solicitor. Perhaps something similar happened.

[Daftasabrush]

Quote:

Originally Posted by JD6

I expect that you would be surprised at the proportion who don’t read it. I once bought an off-plan apartment in London in a development of 500 apartments. I was about the 2-300th person to buy and yet my lawyer was the only one to pick up a bizarre clause in the contract which said something like - if you don’t use your parking space for a period of 3 weeks, you will forfeit your space.

When my lawyer asked for that clause to be struck out, they agreed. It got me wondering how the hell that clause evaded the hundreds of people who had bought before me. It turned out that the vast majority had used the developer’s recommended solicitor. Perhaps something similar happened.

WTF, that's insane! What idiot doesn't pick up on that?

Mind you, what idiot doesn't discover the new build having a leasehold instead of a freehold...

All the morons.