Information Technology Security Policy and Procedures
What does Security Policy mean?
A security policy is a written document in an organization outlining how to protect the organization from threats, including computer security threats, and how to handle situations when they do occur.
A security policy must identify all of a company’s assets as well as all the potential threats to those assets. Company employees need to be kept updated on the company’s security policies. The policies themselves should be updated regularly as well.
A security policy should outline the key items in an organization that need to be protected. This might include the company’s network, its physical building, and more. It also needs to outline the potential threats to those items. If the document focuses on cyber security, threats could include those from the inside, such as possibility that disgruntled employees will steal important information or launch an internal virus on the company’s network. Alternatively, a hacker from outside the company could penetrate the system and cause loss of data, change data, or steal it. Finally, physical damage to computer systems could occur.
When the threats are identified, the likelihood that they will actually occur must be determined. A company must also determine how to prevent those threats. Instituting certain employee policies as well as strong physical and network security could be a few safeguards. There also needs to be a plan for what to do when a threat actually materializes. The security policy should be circulated to everyone in the company, and the process of safeguarding data needs to be reviewed regularly and updated as new people come on board.
Why you need IT Security Policies and Procedures?
- They address threats
Threats are everywhere, especially when it comes to IT Security and the explosion of Ransomware these days. The goal behind IT Security Policies and Procedures is to address those threats, implement strategies on how to mitigate those threats, and how to recover from threats that have exposed a portion of your organization
- They engage employees
Think about a time when you worked for an organization that forced a bunch of policies and procedures down your throat. What were some of the thoughts that you had? Where did these come from? Who created them? Why are we doing this? These are all valid questions and ones that can be avoided when you engage employees in the process of developing and implementing IT Security policies and procedures. Of course, there are going to be instances when organizations have to create and implement policies and procedures without engaging employees for obvious reasons. But think about the message that your organization is sending when they allow employees to participate in either the development or review of these policies and procedures.
- Who does what, when, and why?
IT Security policies and procedures provide a roadmap to employees of what to do and when to do it. Think about those annoying password management policies that every company has. You know the ones where you have to change your password every 60 minutes and can’t use the last 70 passwords that you previously entered. If that policy and procedure didn’t exist in organizations, how common would it be for people to use simple, easy to guess passwords that ultimately open the organization to increased risk of data theft and/or data loss.
- Who gets access to what?
Think about the days when you were back in college and you would go to a nightclub. Do you remember when you would venture towards the back of the nightclub and there was the VIP section with a very large, angry person guarding who got in and who didn’t get in? Policies and procedures play the role of bouncer in a nightclub. They dictate who has access to what information, why, and reasons for accessing it. Without policies and procedures in place, everyone would be allowed into the VIP section and that wouldn’t be good for business.
- What’s the penalty?
IT Security policies and procedures outline the consequences for failing to abide by the organizations rules when it comes to IT Security. We all have choices to make as to whether we are going to comply with the policy that has been outlined, that’s just human nature. But people like to know, and need to know, what the consequence is for failing to follow a policy. Policies and procedures provide what the expectation is, how to achieve that expectation, and what the consequence is for failure to adhere to that expectation. This eliminates any and all surprises as this will be clearly outlined, thus protecting the organization.
IT Security Policies and Procedures Examples
In the world of information technology as well as in serious companies that comply with security procedures, the rules are strictly written and must be respected. We will list only some important examples of IT Security Policies and Procedures.
- Acceptable Use Policy (AUP)
An AUP stipulates the constraints and practices that an employee using organizational IT assets must agree to in order to access to the corporate network or the internet. It is standard onboarding policy for new employees. They are given an AUP to read and sign before being granted a network ID. It is recommended that and organizations IT, security, legal and HR departments discuss what is included in this policy.
- Access Control Policy (ACP)
The ACP outlines the access available to employees in regards to an organization’s data and information systems. Some topics that are typically included in the policy are access control standards such as NIST’s Access Control and Implementation Guides. Other items covered in this policy are standards for user access, network access controls, operating system software controls and the complexity of corporate passwords. Additional supplementary items often outlined include methods for monitoring how corporate systems are accessed and used, how unattended workstations should be secured and how access is removed when an employee leaves the organization.
- Change Management Policy
A change management policy refers to a formal process for making changes to IT, software development and security services/operations. The goal of a change management program is to increase the awareness and understanding of proposed changes across an organization, and to ensure that all changes are conducted methodically to minimize any adverse impact on services and customers.
- Information Security Policy
An organization’s information security policies are typically high-level policies that can cover a large number of security controls. The primary information security policy is issued by the company to ensure that all employees who use information technology assets within the breadth of the organization, or its networks, comply with its stated rules and guidelines. This policy is designed for employees to recognize that there are rules that they will be held accountable to with regard to the sensitivity of the corporate information and IT assets.
- Incident Response (IR) Policy
The incident response policy is an organized approach to how the company will manage an incident and remediate the impact to operations. The goal of this policy is to describe the process of handling an incident with respect to limiting the damage to business operations, customers and reducing recovery time and costs.
- Remote Access Policy
The remote access policy is a document which outlines and defines acceptable methods of remotely connecting to an organization’s internal networks. This policy is a requirement for organizations that have dispersed networks with the ability to extend into insecure network locations, such as the local coffee house or unmanaged home networks.
- Email/Communication Policy
A company’s email policy is a document that is used to formally outline how employees can use the business’ chosen electronic communication medium. Sometimes this policy cover email, blogs, social media and chat technologies. The primary goal of this policy is to provide guidelines to employees on what is considered the acceptable and unacceptable use of any corporate communication technology.
- Disaster Recovery Policy
An organization’s disaster recovery plan will generally include both cybersecurity and IT teams’ input and will be developed as part of the larger business continuity plan. The CISO and teams will manage an incident through the incident response policy. If the event has a significant business impact, the Business Continuity Plan will be activated.
- Business Continuity Plan (BCP)
The BCP will coordinate efforts across the organization and will use the disaster recovery plan to restore hardware, applications and data deemed essential for business continuity. BCP’s are unique to each business because they describe how the organization will operate in an emergency.