How to Build Your WISP – Step 6: Establishing Rules of Behavior and Conduct

By this point in your Written Information Security Plan (WISP) journey, you’ve set security policies, assigned roles and responsibilities, developed an incident response plan, tracked assets, and conducted a risk assessment. Now it’s time to ensure employees understand their role in protecting information by establishing Rules of Behavior and Conduct that are easy to follow and enforce.

Why Do Rules of Behavior Matter?

Security policies alone aren’t enough—employees and contractors need clear guidelines on what’s expected of them. Establishing Rules of Behavior and Conduct helps:

• Reduce security risks by setting expectations for handling data.

• Create accountability so everyone understands their role in security.

• Ensure compliance with regulations like the FTC Safeguards Rule and Gramm-Leach-Bliley Act (GLBA).

• Standardize security best practices across the organization.

What to Include in Your Rules of Behavior and Conduct

Your Rules of Behavior and Conduct should be straightforward and easy to understand. Key areas to cover include:

1. Data Protection Responsibilities

• Employees must only access data required for their job.

• No sharing of login credentials or allowing unauthorized individuals access to company systems.

• Secure sensitive data using encryption, where applicable.

2. Device and Account Security

• All company devices must be secured with strong passwords and multi-factor authentication (MFA) where applicable.

• Employees must lock screens when stepping away from their workstations.

• Use only approved applications and cloud services for business data.

3. Internet and Email Usage

• Employees must avoid clicking on suspicious links or opening email attachments from unknown sources.

• Business accounts should not be used for personal activities.

• Public Wi-Fi should not be used for accessing company data unless a VPN is enabled.

4. Reporting Security Incidents

• Employees must immediately report suspected security incidents, including phishing attempts and unauthorized access.

• A clear reporting process should be outlined in the WISP.

• No employee should attempt to handle security incidents on their own.

5. Handling Sensitive Information

• Personal Identifiable Information (PII) should never be shared over unsecured channels.

• Secure disposal of printed documents using shredding or other approved methods.

• Employees should be trained on recognizing social engineering attacks.

Integrating Rules of Behavior into Daily Operations

For security policies to be effective, they must be part of everyday business processes:

• Include these rules in new hire onboarding and have employees sign an acknowledgment.

• Require annual security training to reinforce key behaviors.

• Post security reminders in common areas and digital workspaces.

• Make reporting security concerns easy with a clear escalation path.

Compliance and Documentation

To meet regulatory and security requirements, document your Rules of Behavior and Conduct within your WISP:

• A written acknowledgment signed by all employees and contractors.

• Regular reviews to keep the rules up to date with evolving threats.

• Clear enforcement policies, including disciplinary actions for violations.

Wrapping Up

Security is a shared responsibility, and establishing clear Rules of Behavior and Conduct ensures that employees actively contribute to protecting sensitive information. By setting expectations, integrating security into daily operations, and providing ongoing training, your business can maintain a strong security culture.

If you need help crafting practical, enforceable security rules, Zeus InfoSec is here to guide you. We specialize in turning complex security policies into actionable, easy-to-understand guidelines.

In the next post, we’ll cover Setting an Annual Review Date for Your WISP—ensuring your security program stays current and effective over time.

Still not sure where to start?

Check out Protect Your Business with Our Free Cybersecurity Checklist for Small Businesses or Free Cybersecurity Essentials eBook

Until next time…

Stay Safe. Stay Secure. And Remember….

Business is hard enough. Cybersecurity doesn’t have to be!