Skip to main content

"How should we communicate security controls and changes to our users? How do other Netskope customers do it?" 

These are questions we hear a lot, and the answer often is, "It depends."

Here are some key factors to consider:

  • Impact on Daily Operations: Will the change affect users' daily activities?
  • Access Restrictions: Will users lose access to something they previously had?
  • Policy Flexibility: Is your default policy open or restrictive, and how will this change affect the user experience—positively or negatively?

It’s important to strike a balance between inundating users with minor regular change announcements, and notifying them when an impactful change is incoming. Many small changes won’t need this level of awareness.

However, when users have access to something one day and lose it the next without warning, it can lead to frustration and a flood of support tickets—neither of which you want!

So, how does Netskope handle it?

At Netskope (Customer Zero), we notify our users about security policy changes through a company-wide email. This approach ensures that everyone is informed, reducing confusion and minimising the risk of negative reactions.

 

--- START EMAIL EXAMPLE---

"Application Name] Access Changes


As part of our ongoing effort to improve our security posture, we will be limiting activities to vAPPLICATION]. Access to AAPPLICATION] will be allowed for browsing. However, activities such as logging in, uploading, downloading, etc will be blocked. The restriction of activities with tAPPLICATION] is due in part to its low Cloud Confidence Index (CCI) security score which is indicative of its risk to any company in any industry as well as individuals; it currently scores 27 out of 100.  Therefore, TAPPLICATION] is not a sanctioned or approved application for business use and should be used on a limited basis personally on company resources.

 

 

For more information on the CCI in general or CCI risk assessments see Cloud Confidence Index (CCI) and CCI Risk Assessment

A complete list of approved/sanctioned applications may be found on the <link to Intranet>

Example User Coaching Alert when visiting eAPPLICATION]:

 


 

Access to >APPLICATION] for activities other than browsing will be blocked from Monday 2nd September, 2024.

It is important to note that we have a specific Slack channel for any questions, comments or concerns.

CONTACTS:
Reporting Security Issues: Security Team
Email: security-team@company.com
Slack Channel: #ask-grc-team
Ticket Portal: Global Information Security Team Service Desk <link>

---END EMAIL---

 

How do you handle these communications in your organisation? Let’s share ideas and learn from each other!

Be the first to reply!

Reply