There should also be guidelines in place that govern the parts of the building that contract staff are allowed to enter. Sometimes the procedures for staff leaving the company, or for new staff on probation can create security problems. Examples include leaving security clearances in place for too long, not deleting the user accounts of former employees or allowing a new member of staff too much access to sensitive parts of the computer network or office space. There should also be guidelines in place to mitigate the threat posed by removable storage devices such as USB keys, PDAs and the ubiquitous iPod, which enable the transfer and storage of increasingly large volumes of data.

Staff need to be trained to understand the importance of security and of taking the security policy seriously. There should be guidelines for choosing and changing passwords, for locking workstations containing sensitive data when a member of staff leaves their desk, and for destroying confidential paper-based information - and these guidelines must be enforced. This doesn't mean the organisation has to operate as a police state, but it does mean adopting a sensible approach to security.