-- particles

IT Policies

Every Organization Needs IT Policies

Keeping a business’s data secure requires not only good technology but good policies. User carelessness is the biggest cause of breaches, and technical measures can’t stop people from making dangerous mistakes. A set of policies that employees and contractors understand, together with training in how to apply them, should be a basic part of the strategy of any organization that has important data which it needs to protect.

A well-written policy is clear and specific, but not so loaded with unnecessary detail that it takes a lawyer to decipher it. If it’s too hard to read, people will just skim over it without understanding. The essentials in a policy need to include what it requires, whom it applies to, and a broad overview of how to carry it out, as well as possible penalties for non-compliance.

How strict the policies have to depend on the kind of organization. Offices that hold personal health information, handle credit cards or do classified work need especially tight policies. Any organization that handles money or personal information needs reasonably strict policies, though. There’s no such thing as an organization that is too small for attackers to pay attention to it; in fact, some criminals specialize in small organizations on the assumption that they have lax security.

We can broadly divide policies into those which apply to all users and those which concern only IT personnel. Let’s look at a few in the first category, as examples.

  • Email policy. The policy should state to what extent it allows personal communication using company email, if at all. It should explain retention requirements, indicate what kind of language and commentary it prohibits, and spell out what use of third-party email services it allows or doesn’t. It should notify users that their mail may be monitored and they have no expectation of privacy.
  • Password protection policy. This has to place specific requirements on the formation of strong passwords, prohibit password sharing and reuse, and list specific practices (writing down passwords or hints, giving them over the telephone, etc.) that users have to refrain from. If the company does any password guessing to test compliance, the policy needs to let the users know.
  • Remote access policy. Instructions on how users may access the organization’s systems from outside go here. Requirements may include coming in only through the VPN, protecting their VPN passwords, not simultaneously connecting to other networks, and having antivirus software.

Other policies are specific to management and IT personnel. Let’s look at a few examples.

 

  • Disaster recovery plan policy. This doesn’t specify the contents of the plan but states what kinds of contingency plans the staff has to create. It places requirements for reviewing the plan periodically and conducting tests.
  • Server security policy. The requirements of this policy should include registering all servers, designating the primary person responsible for each one, specifying requirements for generating and retaining logs, maintaining access control (including physical access), keeping the software up to date, and reporting security incidents.
  • Equipment disposal policy. This policy has to cover such issues as wiping disk drives before disposal, tracking and identifying equipment that has been cleared for disposal, and recycling. It needs to identify the kinds of equipment which it covers.

The SANS Institute’s website offers a broad range of templates for information security policies. These are available at no cost to download and adapt. Not every organization will need all of them, but they offer a good starting point.

Policies need to go hand in hand with training. Users need to get instruction in what’s expected of them, along with an opportunity to ask questions. They should learn what to do and whom to contact when something isn’t happening according to policy.

Our Managed IT Services can help your organization achieve the level of security it needs.

 

Professional IT Management

Engineering & Support

Planning & Consulting

White Mountain IT

Related Posts

Sound Familiar?

Here are some of the most common complaints we hear from businesses that aren’t satisfied with their IT vendor and want to switch to White Mountain.

There is a Better Way!

Give White Mountain IT a Call Today

BOOK A CALL

Onsite Service Coverage

From Concord NH to Boston

Although we provide remote services and support to businesses in over 20 states, onsite services are limited to within reasonable driving distance from our offices in NH. If needed, we will manage a local vendor for locations outside of our service area to provide onsite assistance when needed.

Onsite Computer Support Services are available to businesses within 60 miles of Nashua New Hampshire. We have excellent onsite coverage from Concord NH, south through Manchester NH, and then down into Boston. From Northern and Central Mass, we cover from Worcester, east to the North Shore, including the Salem NH and Portsmouth NH area.

Need an Onsite Visit?

We've Got You Covered!

ONSITE COVERAGE
Serving Southern New Hampshire
and Northern Massachusetts
Manchester:

121 Riverfront Drive
Manchester NH 03102

Nashua:

33 Main Street
Suite 302
Nashua NH 03064

Client Help Desk        603-889-2210

New Client Inquiries   603-889-0800

OPEN POSITIONS

Client Help Desk

603-889-2210

New Client Inquiries
   603-889-0800

© 2024 All Rights Reserved. copy_right_image

Protected by Copyscape Plagiarism Checker – Do not copy content from this site.