Companies should also implement policies that govern the parts of the building that contractors or visitors are allowed to enter. Sometimes the procedures for staff leaving the company or for new staff can create security gaps. Examples include leaving security clearances in place for too long, not deleting the user accounts of former employees or allowing a new employee too much access to sensitive parts of the network. There should also be guidelines in place to mitigate the threat posed by removable storage devices such as USB keys, PDAs and iPods. Such devices enable the transfer and storage of large volumes of data.

Staff must be trained to understand the importance of security and made aware that the security policy must be taken seriously. There should be guidelines for choosing and changing passwords, locking workstations containing sensitive data when leaving their desks, and destroying confidential paper-based information. Above all, these guidelines must be enforced! This doesn't mean the organization has to operate as a police state, but it does mean adopting a sensible approach to information security.