User Acceptance of NACA is the #1 most important consideration that must be made during a deployment. This post should hopefully help you understand the best practices to make users "accept" the solution.
Messaging the Solution to Users:
In order for users to not get really upset about the solution, you MUST message the plans of turning on the NACA solution. If you do not message this information to users they will have no idea what hit them and you can rest assure that their boses or parents(in the EDU space) will hear about it and you will be getting A LOT of complaints. Along with these complaints will be the complete dislike of the solution before they have even used it. Messaging is simple and can be performed by using:
- Formal Letters
The content on the messaging needs to include:
- Benefits of CCA for the end-user & organization as a whole
- Reasons the organization is deploying the solution
- Time frames of deployment
- How the Deployment will affect the user
- What are the responsibilities of the user
- Policies that are enforced and when will they be enforced
- References to the Organization's Security Policy
- Where to find more information or who to contact in case of problems
This messaging will help users really see the reasoning why NACA is important and how it can help them as an individual. This in turn will truly help the acceptance of them having to interact with NACA.
Making the first encounter of the "terrible" green goblin (CAA) tolerable:
At first look, users can be very upset about having to use an agent to get onto the network. Because of the messaging that you have done they are at a minimum expecting it and have the knowledge to get through the experience. Tasks that you can do to ensure that the first time the user ever uses the product is successful and acceptable are:
- Deploy the agent via a Software Pushing Technology, like Altiris, to ensure that the user does not have to download the agent.
- Only cutover some users at a time, do NOT cutover all X users at once. This ensures that the users are able to have the best performance possible. This will also allow any administrators or help-desk staff to respond efficiently if problems arise.
- Make sure to enable Single Sign On (SSO), if possible, to allow the users not to have to login twice.
- To ensure users are able to be comfortable with the agent, before they have to spend 2 hours updating their machine to conform with security policy, it is best practice to start the NACA Deployments with optional requirements. This will present the user with the violations of their devices without stopping them from performing their normal tasks. E.G. All users must have AV Installed is a requirement in your security policy, but for the first 30 days the CAA will prompt users to install AV, but won't stop them from accessing the network if they chose not to remediate. After the users have had time to realize that they are out of compliance and they have had plenty of time to fix their violations at their convenience (typically 3-30 days depending on type/size/culture of the organization), the optional requiremetns should be changed to mandatory. This time frame of optional requirements should be illustrated in the original messaging about the solution. If the user community is non-adaptive to changes at all, then some organization even start with no requirements and then move to optional requirements.
Ensuring on-going Acceptance of the solution:
In order for users to continue to have that good feeling about the solution, administrators must follow some simple guidelines to ensure the user community stays happy:
- Configure the clearing of devices (Certified Device Timers, Session Timers, Heartbeat Timers) in a reasonable fashion. Timers must be used to ensure periodic posture assessment of users, but they should be configured in a reasonable manner. E.G. If a person has to login to theCAA every hour on the hour to get on the network they will not be happy.
- Ensure that maintenance of the NACA solution is performed off hours, remember some deployments are in-band and will denial of service users if you perform an upgrade during the day.
- Continue the good communication that was initially established. E.G. if you are going to start enforcing the use of Cisco Security Agent, make sure that the users understand the new requirement and do have time to ensure they are within compliance.
- Make sure the users have a knowledgeable help-desk that they can consult on any issues that come up.
Users are people too and if you take the proper steps to ensure that their experience with the solution is a positive one, you will receive positive feedback and lower the total cost of ownership (TCO). Help Desk tickets will be minimal and you can sleep better at night because users do have the latest signatures.