Security Policy — What it is and What to Include in Yours
What is a security policy?
A written or digital document stating the rules and procedures for safeguarding an organization’s IT assets and resources. The policy is basically a rulebook for your employees’ digital worklife. With sophisticated attackers using phishing emails more effectively and successfully tricking people to click on malicious links, often the first step for an organization is to lay out the ground rules for employees. This provides a foundation for awareness and consideration, reinforcing that even a small hack or breach could cost a company thousands of dollars and loss of trust.
Security policies are often living documents. This means that although the document is kept current, it is always changing and evolving based on technology and employee requirements. The most successful policies take into consideration the culture of an organization first. For example, if the policy seems rigid and harsh, but the office culture is laid back and carefree, employees may feel disconnected to it.
Rules and procedures should be driven by daily work processes. For example, having mandatory remote working policies and trainings when all employees work from the office creates confusion and may make the rest of the policy appear impersonal or irrelevant.
A company IT security policy shouldn’t change the strategy or mission, or inhibit work getting done. While it should play a role in decision making, its purpose is to protect and secure the business without changing the organizational structure. For businesses, the goal is to find a middle ground where they can utilize new technologies and processes, while reducing the risk that usually accompanies them.
Why do businesses need a security policy?
Small and medium businesses, especially, are being targeted by cyber criminals for their customer data, connections to larger enterprises, and perceived lack of protection. Techniques like phishing make it simple for attackers to bait employees into downloading malware on a company device. As businesses become aware of the issue, more and more are taking action by holding trainings and sending reminders to employees about what to look for in a typical phishing email. Some companies are even terminating employees for consecutively interacting with phishing attempts and exposing the network. IT security policies are created and implemented to raise awareness among employees and safeguard information within an organization.
While holding trainings and seminars help, having a written policy creates a more formal approach — which works well when it can be easily adapted to fit into existing, everyday work life. It reinforces the importance of keeping information secure, without making it too cumbersome for employees.
An effective security policy should include the following:
Asset Identification and Risk Assessments. This could be a list of endpoints, networks, physical buildings, and more. It would also include the potential threats to each of the assets, such as external and internal damages ranging from stolen information to a full scale network breach.
Acceptable Use Policy (AUP) and Access Control Policy (ACP). An AUP is a standard policy for new employees to read and sign during the on-boarding process. It includes constraints and practices one must agree to before being granted access to the network. These policies are typically discussed by an organization’s legal and human resources departments. An ACP establishes access controls by managing who may access company information, and under what circumstances. Specifically, network and operating system software access, removal of access for employees that leave the organization, and corporate password access policies are usually included in an ACP.
Password, Email, and Internet Policies. These are three of the most popular avenues for cyber attackers to target. Threats like credential stuffing reinforce the importance of updating passwords and keeping them strong. Email and internet policies lay the procedures for double-checking sender credentials or URLs before submitting sensitive information or clicking a link. The primary goal is to provide the necessary guidelines for acceptable use of corporate technology.
Change Management Policy. This section should include the process for submitting and implementing all changes to information technology, software, and security operations. Having a change management policy increases organizational understanding and awareness of changes and the impact to employees and customers.
Incident Response, Disaster Recovery, and Business Continuity (BCP) plans. These separate plans detail the organization’s response to a security issue or natural disaster, as well as plans for keeping business operations going during recovery. Incident response plans are sometimes ignored due to the “it will never happen to me” mindset. Putting a plan in place before an issue occurs can make recovery much easier, while providing guidance for employees and everyone involved.
And the good policies have…
- Compliance with Federal and State regulations
- Clear goals and expectations
- Last updated date
- Contact [the person deemed owner of cybersecurity]
MSSPs: Surviving and Prospering in the New Network Security Reality. The Avast Business "Easy Button" Solution.
See How a Secure Internet Gateway with Powerful Next Gen Firewall Capabilities (NGFW) Provides Complete Security.