Create a bot to communicate security policy on your intranet
Let’s face it. Security policy is boring. Really boring. I’ve worked in infosec for over fifteen years and writing a suite of security policies for an organization is one of the dullest tasks you can be assigned as a consultant. Red teaming: Awesome. Incident response: Awesome. Security policy: Need lots of coffee, don’t fall asleep.
However, documenting security policy that is practical for your business as well as communicating this policy to staff is one of the most important fundamental things to get right in security for any company.
In most companies, security policy is usually in one of these states:
1. Not documented or defined
2. Documented, but not practical for the business
3. Documented, practical but staff have not read it and are not familiar with any of the content
If (1) or (2) apply to your business, then you have some groundwork to do to get to step 3. If you are at step 3, then here’s a way to get your staff to become familiar with your policy; put it into a bot on your Intranet. Usually when staff try to find security policy, it’s when they are about to do something which they know they shouldn’t do and want to know what the corporate policy says. In most companies, they will spend approximately 30 seconds looking for security policy, and either:
1. Not find it
2. Find a security policy, but nothing that refers to their area of interest
3. Find it, but conclude that it is too technical to understand
Each of these options results in them doing the thing they know is probably against policy (insert typical security violation here: sending data to personal emails, sending sensitive information to unauthorized individuals, using personal USB devices etc.)
Now, in order to prevent these security violations, you can build your security policy, advice and training into a Bot and connect it to your intranet for easy access.
Azure Bot Services
At Keysquare, we made Marvin the security bot using Azure Bot Services / QNAMaker (fans of the Hitchhiker’s Guide to the Galaxy will get the reference). This is completed by doing the following:
1. Create a table with a series of questions and answers. This will typically be 400-500 lines with your policy, advice and training
2. Create a QnA service in Microsoft Azure
3. Connect your QnA service to your knowledge base
4. Name your knowledge base (in our case, Marvin)
5. Populate your knowledge base
Once completed, you can connect to your intranet for easy access by your staff
The screenshots below show the output from some basic questions: