Security Blog

Create a bot to communicate security policy on your intranet

Let’s face it. Security policy is boring. Really boring. I’ve worked in infosec for over fifteen years and writing a suite of security policies for an organization is one of the dullest tasks you can be assigned as a consultant. Red teaming: Awesome. Incident response: Awesome. Security policy: Need lots of coffee, don’t fall asleep.

However, documenting security policy that is practical for your business as well as communicating this policy to staff is one of the most important fundamental things to get right in security for any company.

In most companies, security policy is usually in one of these states:

1.      Not documented or defined

2.      Documented, but not practical for the business

3.      Documented, practical but staff have not read it and are not familiar with any of the content

If (1) or (2) apply to your business, then you have some groundwork to do to get to step 3. If you are at step 3, then here’s a way to get your staff to become familiar with your policy; put it into a bot on your Intranet. Usually when staff try to find security policy, it’s when they are about to do something which they know they shouldn’t do and want to know what the corporate policy says. In most companies, they will spend approximately 30 seconds looking for security policy, and either:

1.      Not find it

2.      Find a security policy, but nothing that refers to their area of interest

3.      Find it, but conclude that it is too technical to understand

Each of these options results in them doing the thing they know is probably against policy (insert typical security violation here: sending data to personal emails, sending sensitive information to unauthorized individuals, using personal USB devices etc.)

Now, in order to prevent these security violations, you can build your security policy, advice and training into a Bot and connect it to your intranet for easy access.

Azure Bot Services

At Keysquare, we made Marvin the security bot using Azure Bot Services / QNAMaker (fans of the Hitchhiker’s Guide to the Galaxy will get the reference). This is completed by doing the following:

1.      Create a table with a series of questions and answers. This will typically be 400-500 lines with your policy, advice and training

2.      Create a QnA service in Microsoft Azure

3.      Connect your QnA service to your knowledge base

4.      Name your knowledge base (in our case, Marvin)

5.      Populate your knowledge base

Once completed, you can connect to your intranet for easy access by your staff

The screenshots below show the output from some basic questions:

img2.png
img1.png
img3.png