Creating a set of IT security policies is an important first step on the path to creating a comprehensive security plan that will protect your IT environment and keep data secure. Without a solid set of security policies in place, even the most expensive IT environment in the world can't protect your business from security threats and potential data exposure.
Different Types of Policies
IT services providers recognise that corporate IT security always starts and ends with the people that use your company's IT tools and strongly urge your company to create a set of easy-to-understand and implement security policies. Security policies are designed to document business operations, outline security procedures, and guide end-user behavior.
A well-crafted set of security policies will document all of the details around how your business protects its IT assets such as data, computer systems, services, etc. As an IT outsourcing provider, AlphaScan has had more than a decade of experience creating and implementing security policies for companies in many different vertical markets and recognises that the following policies are central to protecting your IT environment and important data.
Acceptable Usage Policy- AlphaScan believes that, as a general rule, this is typically the first IT security policy that any business should have. An Acceptable Usage Policy addresses end-user behavior and describes what can and cannot be done with any part of the corporate IT environment. IT support providers agree that Acceptable Usage Policies should address the following:
- Identify what types of websites end-users can and cannot access.
- Outline corporate policy on the usage of personal email, instant messaging, and social networking (Hotmail, Yahoo, Gmail, Facebook, LinkedIn, etc.).
- Define how and where to access and store company data on the network.
- Describe safe-computing guidelines such as logon/logoff procedures, passwords creation, etc.
Incident Response Policy- This policy will describe what end-users must do in the event that a virus outbreak, IT environment intrusion, accidental data exposure, or other security incident occurs. AlphaScan suggests that an Incident Response Policy should contain a detailed breakdown of containment procedures as well as a list of people that must be notified in the event of a security incident. An Incident Response Policy should address security incidents that include, but are not limited to, the following:
- Lost or stolen laptop or smartphone
- Lost data (USB drives, backup tapes, removable media, etc.)
- Virus or malware incident
- Accidental exposure of company, partner, or vendor data
- Insider threats created by employees that intentionally access and steal data for personal gain
- Burglary or unauthorised physical access to the facility
Remote Access Policy- This policy should define the required procedures for accessing company data from remote computers. A Remote Access Policy will identify who has permission to remotely access data, identify what sorts of data can be accessed, and how it needs to be done. A Remote Access Policy should address how data can be accessed by the following methods:
- Web-based email
- Mobile devices (i.e. smartphones such as iPhones and Blackberries)
- Home office
- Extranets and SharePoint
Data Classification Policy- This policy should outline which corporate data is "sensitive" and what can and cannot be done with it. In order to protect your company's proprietary data and sensitive client, partner, or vendor data, IT companies that offer IT security support agree that a Data Classification Policy needs to do the following:
- Define which data is sensitive.
- Identify where sensitive data must be stored on the corporate IT network and how it is protected from unauthorised access.
- Specify how sensitive data must be transmitted.
Data Backup Policy- This policy should identify what types of corporate data need to be protected through backups. Because duplicating all company data is cost-prohibitive, IT consulting companies encourage only backing up important business data such as financial and HR records, client data, and any other proprietary data that, if lost, could affect the company and its operations. A Data Backup Plan needs to consider the complexities of backing up data that may be on portable devices such as phones or laptop computers, as well as remote offices. A Data Backup Policy should do the following:
- Define which data needs to be backed up as well as how often backups need to occur.
- Address the length of time that data needs to be retained (i.e. a month, a year, three years, etc.).
- Outline the acceptable method for backing up data on non-networked devices (laptops, remote offices, smart phones, etc.).
- Specify what media will be used for backups (tapes, hard drives, online services, etc.).
- Define which types of data must be encrypted and identify the approved encryption program.
Training Policy- IT consulting companies recommend that this policy identify how often end-users should be trained and on what they should be trained. While the Training Policy is often overlooked, it is an important step that should be taken to protect your corporate IT environment and the data it contains. A Training Policy should do the following:
- Define areas of IT for which end-users need to be trained.
- Identify how often training needs to occur.
- Define how the training will be conducted.
- Explain how training will be documented.
- Identify who is responsible for ensuring that training goals are met.
Because the security of your corporate IT environment is dependent upon end-user behavior, you need to create a set of security policies that will be easy to administer and follow while protecting your company from potential threats. To learn more about IT security policies in general, or to get help creating policies that are customized to your corporation's unique needs, please contact the IT security experts at AlphaScan.