When it comes to securing end-users, I often hear from IT directors that they are concerned about written passwords left near computers as well as devices that are left unlocked and unattended.  These are both fairly serious security issues, particularly when a user has access to sensitive data.  Luckily, you can help combat carelessness or complacency with walkthrough inspections.

Start by picking an area to inspect, then check for the following offenses.

• Visible passwords
• Unlocked workstations
• Unattended employee IDs
• Sensitive hard copies, media, or keys left unsecured

You can approach the inspection in a couple of different ways.

Informal

For every work area you plan to inspect, print out a list of the above offenses. Walk through each work area after hours.  Check off any items you find within a work area and leave it there for the employee to see when he or she returns in the morning.  The piece of paper should include a friendly reminder from IT staff that these things can mean a mark against the organization during audit times and that compliance with any use policies is necessary. Repeat this walkthrough in three months.

It’s also a good idea to keep a running tally of the violations you mark. This way, you can watch to see whether the numbers fall and implement different tactics as may be needed.  If you’re worried about ruffling feathers, you may want to talk with each department head or supervisor first. Let them know that this is for your own internal audit and that you’ll share results with them.

Formal

In this scenario, there are three parts: baseline, training, and testing/measurement.

Baseline

Start by running an after-hours walkthrough inspection to gather metrics without letting anyone know.  This will form a baseline that you can measure against in the follow-up walkthrough (which should be conducted just a few weeks later).

Training

Make sure employees and supervisors are aware of an upcoming inspection and use this opportunity for training. Tell them the specific items you will be checking for and explain why they’re an important part of security. You can even send e-mail reminders just prior to conducting the second walkthrough. The will allow you to see whether your training and notifications affect user behavior.

Testing/Measurement

Finally, after three months have passed, conduct another secret inspection. Review the information you have collected to measure whether employees have actually changed their behavior or if they still need reinforcement.

Download this template to use with your walkthrough inspections.