User awareness and employee engagement have become a fundamental part of Local Government’s Information Assurance (IA) programme. Chelmsford Borough Council reviewed its processes to see how they could become best practice IA, ensuring compliance with legislation, regulation and Information Security standards
A key deliverable from MetaCompliance is the Dynamic Intercept functionality, otherwise known as Point of Need Compliance. This allows the Council to deliver compliance prompts or warnings at any computer event. We used this capability to communicate Chelmsford’s USB Device Acceptable Usage Policy.Martin Jimmick - ICT Technical Services Manager, Chelmsford Borough Council
MetaCompliance offered immediate auditable accountability we couldn't have achieved using conventional methods. Furthermore, its ability to integrate with our existing e-learning systems was very important to us.Martin Jimmick - ICT Technical Services Manager, Chelmsford Borough Council
It became obvious that the Council would need to invest major resources to ensure all users received accurate, consistent policy communication and awareness training. In addition there was a need to capture a signature confirming understanding.
Conventional methods such as training sessions, intranet, emails and the staff notice boards were inefficient and ineffective. They decided to explore the market for automation software and MetaCompliance became the preferred solution.
One of the main drivers for deploying MetaCompliance was the dissemination of the formulated policies and processes devised by the Essex Online Partnership (EOLP). As a Phase 1 deployment, we delivered and received confirmation of understanding of these key policies that directly assisted with compliance to GCSx Version 4.1 standard, ISO27001 and NH N3 Code of Connection.
In terms of the reaction from our employee base to this new form of awareness and compliance technology, I will admit that there was a level of anxiety within the ICT team responsible for the rollout; this was the first time policies had been delivered in this way and the ICT team did not know what to expect.
MetaCompliance makes the process extremely easy and quickly removed any anxiety as the feedback received from the initial rollout proved very positive. There was no training of the end user involved which made the deployment streamlined and non-evasive across the.
Point of Need Compliance was deployed during Phase 1. When a user inserted a USB key, they were presented with the Removable Media Acceptable Usage Policy. We have this scheduled to be delivered every time an employee accesses this area with their device. The attractive element of this is that if an employee never uses removable media devices, they will never receive the policy. In terms of the reporting and auditing associated with this policy, we were able to remediate in a more pro-active fashion with the non-compliant staff members and account for the gap in non-participation amongst staff.
Following the Phase 1 deployment, we were approached by other areas of the Business including HR, Internal Audit and the Learning and Development team, all of which have their own obligations under law to adhere to in the areas of user awareness and employee engagement.
They could see the benefits of MetaCompliance to disseminate their own compliance communications and for the Council to develop a Corporate Blended User Awareness Strategy employing all methods of communication available to best effect. This is a major benefit of MetaCompliance over other solutions providers.
MetaCompliance was the only solution we found which enabled enforcement of employee participation in policies, risk assessments and also e-Learning
MetaCompliance were able to integrate successfully with both of our current e-Learning providers, through their e-Learning Connections functionality. We were then able to deliver a completely automated and enforced user awareness programme scheduled to the end user on the desktop, ensuring participation by a given date. This unique functionality within MetaCompliance provides an interface into most SCORM based E-Learning solutions.
The Council will now benefit by leveraging off our existing investment in e-Learning solutions. Obtaining user participation in our E-Learning content has always been a challenge, fraught with inconsistencies and errors due to the manual effort involved in ensuring user participation. MetaCompliance can ensure 100% participation and provides immediate auditable accountability we couldn’t have achieved using conventional methods.
Chelmsford Borough Council has embraced MetaCompliance and it now plays a significant role in the way that we communicate with our employees. There are a number of areas that the Council is keen to automate utilising the unique capabilities within the MetaCompliance solution:
With the assistance of Information Assurance specialists in Metacompliance Limited, we have devised a 4 key step approach to improving the Authority’s corporate communication plan. We plan to establish a Group called the MetaCompliance Information Assurance Communications Group.
This Strategy will help underpin Governance and Compliance frameworks that affects the business, both immediate and in the future as well as drive the development of a multi-phased compliance communications roadmap based on the Information Assurance Maturity Model (IAMM) roadmap.
By utilising the 4 key steps in line with the IAMM, Chelmsford Borough Council will be equipped to establish a baseline of awareness levels within the Council to allow for a drive at culture change in relation to information handling.
This will allow for an insight into the current awareness levels within the Council and to establish the desired security culture. This approach will allow us to understand our strengths and weaknesses and identify areas where improvements would facilitate a cultural change.