Every Organization Needs IT Policies
Keeping a business's data secure requires not only good technology but good policies. User carelessness is the biggest cause of breaches, and technical measures can't stop people from making dangerous mistakes. A set of policies that employees and contractors understand, together with training in how to apply them, should be a basic part of the strategy of any organization that has important data which it needs to protect.
A well-written policy is clear and specific, but not so loaded with unnecessary detail that it takes a lawyer to decipher it. If it's too hard to read, people will just skim over it without understanding. The essentials in a policy need to include what it requires, whom it applies to, and a broad overview of how to carry it out, as well as possible penalties for non-compliance.
How strict the policies have to depend on the kind of organization. Offices that hold personal health information, handle credit cards or do classified work need especially tight policies. Any organization that handles money or personal information needs reasonably strict policies, though. There's no such thing as an organization that is too small for attackers to pay attention to it; in fact, some criminals specialize in small organizations on the assumption that they have lax security.
We can broadly divide policies into those which apply to all users and those which concern only IT personnel. Let's look at a few in the first category, as examples.
- Email policy. The policy should state to what extent it allows personal communication using company email, if at all. It should explain retention requirements, indicate what kind of language and commentary it prohibits, and spell out what use of third-party email services it allows or doesn't. It should notify users that their mail may be monitored and they have no expectation of privacy.
- Password protection policy. This has to place specific requirements on the formation of strong passwords, prohibit password sharing and reuse, and list specific practices (writing down passwords or hints, giving them over the telephone, etc.) that users have to refrain from. If the company does any password guessing to test compliance, the policy needs to let the users know.
- Remote access policy. Instructions on how users may access the organization's systems from outside go here. Requirements may include coming in only through the VPN, protecting their VPN passwords, not simultaneously connecting to other networks, and having antivirus software.
Other policies are specific to management and IT personnel. Let's look at a few examples.
- Disaster recovery plan policy. This doesn't specify the contents of the plan but states what kinds of contingency plans the staff has to create. It places requirements for reviewing the plan periodically and conducting tests.
- Server security policy. The requirements of this policy should include registering all servers, designating the primary person responsible for each one, specifying requirements for generating and retaining logs, maintaining access control (including physical access), keeping the software up to date, and reporting security incidents.
- Equipment disposal policy. This policy has to cover such issues as wiping disk drives before disposal, tracking and identifying equipment that has been cleared for disposal, and recycling. It needs to identify the kinds of equipment which it covers.
The SANS Institute's website offers a broad range of templates for information security policies. These are available at no cost to download and adapt. Not every organization will need all of them, but they offer a good starting point.
Policies need to go hand in hand with training. Users need to get instruction in what's expected of them, along with an opportunity to ask questions. They should learn what to do and whom to contact when something isn't happening according to policy.
Our Managed IT Services can help your organization achieve the level of security it needs.