AVG SMB Security Boot Camp: Part Eight- Developing a Security Policy
Creating a company security policy need not be a major headache. Approach the process knowing that every element of your IT you lock down is one less weakness in your business.
The key to this task is making your security policy bite. It needs to have teeth and it needs to be enforceable. This means that breaches of policy do not go unrecorded without action being taken upon employees themselves. Making your security policy part of your terms and conditions of employment is the only sure fire way of achieving this.
Before laying down a set of unworkable over stringent control measures, it is important that you talk to all departments (or all employees if the business is smaller) to not only get buy-in to the process, but also to ensure that you take into consideration the operational needs of each business function without rendering them unworkable.
As crucial as it is to gain departmental employee-wide buy-in and acceptance of your security policy, it must also be fully endorsed and supported by senior management, Human Resources and the business owner. This must form part of your foundational first steps.
Keep things realistic and do not try and mitigate for every IT security issue imaginable. Technology shifts rapidly, so make this a living document that can be augmented and adapted over time.
Your first IT security policy should probably have a shelf life of around three to five years, but a constant process of revision and maintenance of the document is essential to keep the information relevant.
You should aim for clear and precise use of language. The most obvious pitfall that exists here is employees claiming that they did “not understand” the policy document. For example – don’t say “stipulations” when you can simply say “rules” and so on.
Clearly state to whom the company’s security policy applies to. This should extend to “any user of the company’s equipment and facilities” including temporary staff, company partners, third party consultants and even remotely connected overseas users.
Establish roles and responsibilities at the outset. Compartmentalize your policy if necessary so that different departments or employees have different usage privileges and rights. This may not happen until the second revision of your policy, but keep it front of mind.
Your security policy should encompass how employees “deal with” data from a storage, transmission and transactional perspective. Basically, if company data is on the move, then your policy needs to know about it.
Above all, make your IT security policy achievable. Create it in a form suitable to fit your business and your firm’s culture. It should show that you have performed due diligence to mitigate risks and threats to your business.
Be authoritative, be reasonable and be clear. Your goal is to reduce ambiguity and provide clarity. A sound IT security policy is the foundation of any sound business model so start creating yours today.