The first thing that needs to be explained to an employee is what exactly a security policy is. Whilst many people are IT-literate they are not aware of what a security policy is and what it covers or contains. Employees who do not fully understand what a security policy is may not understand and comply with its principles and as a result of this they could face disciplinary action or in further cases termination of employment. Another point that needs to be explained to an employee is how to keep your account details such as your username and password secure. The reason for this is to ensure that no unauthorised user can access your account with your details and gain access to highly sensitive, confidential company data. The Harvard security policy states that “Passwords used on all systems for Harvard business should be of sufficient length and complexity to reasonably protect them from being guessed by humans or computers. 3” The employee must be aware of the current company’s password policy that is in place and must abide by this policy. They must also ensure that they do not share their accounts details with any other employee as this would be in clear violation of the policy. Another point that must be explained to every employee is how to handle and store sensitive data on their workstations and if applicable external storage devices. The reason this must be explained is because if data is compromised it can lead to a negative impact on a business or a company’s reputation affecting them financially e.g. if a large number of patient’s medical records where disclosed to the public from a private healthcare facility this could lead to a loss of clients which results in a loss of income. An employee should only handle data that they are authorised to have access to and if they are storing it on an external device they should have authorisation to do so. All highly stored sensitive and confidential data should also be encrypted (converting it to ciphertext) with a password to ensure that if the company’s network was ever hacked or compromised then it would be password-protected.A final point that must be explained to every employee is how they should respond to a potential security incident. A security incident “is an event that may indicate that an organization’s systems or data have been compromised or that measures put in place to protect them have failed. 4” and “according to NIST Special Publication 800-61, a security incident is the violation of an explicit or implied security policy. 4” Security incidents include loss or theft of sensitive information or unauthorised access to a computer system/network. Each company/business will have a security incident response plan in place for these types of incidents and an employee should be aware of this plan, how to follow the procedures within the plan and who to contact in case of emergency.All these things need to be explained at the beginning of the person’s employment during their training process to ensure that they fully understand what a security policy is and how to implement it as soon as they begin working at their workstation. The employee should also sign off a confidential monitoring form agreeing that they have understood the security policy and its principles and are willing to abide by them. They should also be re-trained annually to ensure that they are aware of any changes that have been made to the security policy and to ensure they are fully up-to-date with it.