If I were a policy-maker, I would obligate companies with more than 20 employees to implement the following minimum set requirements:
- Company Policy
- Email Policy
- Network Access/Security Policy
- Password Policy
- Wireless Policy
- Â Review and update every six to twelve months.
- Awareness
- Make security training personal
- Consequences for noncompliance
- Training
- Provide updates to employees with the latest security vulnerabilities and train them on how to recognize and avoid them
- Perform phishing tests
- Education
- Regularly test your employees’ current security knowledge
- Provide visual aids about the policy or helpful hints
- Technology
- Make sure everything is up to date
Depending on my actual position, and what type of company it is, I may or may not impose fines. For something that may be handling a lot of PII, I would, however, if very little of value is being kept on networks, I may not. My reasoning behind that is one must learn the value in protecting things of value. And no one wants their information stolen.