Corporate IT Security Policy
Significant technological advances have changed the way we do business. That is, the internet, email, and text messages have virtually replaced faxes, letters and telexes in the corporate world. The internet to used to obtain information and efficiently communicate with clients, business associates, and partners.
While internet usage comes with numerous advantages such as the speed of communication and an increase in the bottom line, it also contains several drawbacks that can seriously hinder business productivity and growth. For example, personnel can use the internet as a distraction to peruse their Facebook, Twitter, and Instagram accounts, shop on Amazon or eBay, check the latest sports statistics, exchange personal emails with colleagues, friends, and so on. These activities not only heighten the risk of incoming malware, but also lower employee productivity and revenue.
Therefore, devising a corporate IT security policy will help to mitigate the negative consequences associated with internet use – and email specifically.
The “nuts and bolts” of an IT security policy
I want to start by saying that a cookie-cutter approach to developing an IT security policy doesn’t exist. Every organization varies in its business practices and protocols, so one IT security policy won’t fit the needs of every organization. An IT security policy should be a customized document that accurately represents a specific business environment and specifically meets its needs. Don’t model your IT security policy exactly on Google’s or Apple’s IT security policies because what works for them might not work for you. An IT security policy is essentially a written strategy (plan) that covers the implementation of Information Security methods, technologies, and concepts. This policy offers overarching guidelines for company security procedures without precisely stating how the data will be protected. Some freedom is provided for IT managers to decide which electronic devices, software, and methods would be best to implement policy guidelines. An IT security policy shouldn’t explicitly state which vendors and technologies should be utilized. The basic purpose is to establish ground rules and parameters used to then work out more specific data security practices. The policy should encompass all of its mission-critical data and electronic systems – including the internet, email, computer networks, and so forth. Further, three vital points need to be considered when devising a corporate IT security policy: the confidentiality of sensitive mission-critical information the availability of this information the protection of information from destruction (think viruses, worms, Trojans), internal misuse and abuse. The Top 3 Reasons for a Corporate IT Security Policy An IT security policy provides a launching pad for further IT security procedures, a basis for consistent application, and a stable reference guide for IT security breaches when they do occur. Rather than throwing this policy on the shelf to collect dust, use it to ensure that your corporate data remains secure and exact appropriate penalties when it’s not. Below are three additional ways that an IT security policy may prove beneficial: 1. Corporate legal liability – When an IT security policy explicitly states how and when to use email, the internet, electronic devices, and computer networks how sensitive corporate data should be handled and the correct use of passwords and encryption, your threat of exposure to malware and confidential data leaks will decrease markedly. Emails – personal and corporate – will inevitably make an organization vulnerable to (spear) phishing attacks, viruses, and other malicious software. Employees who exchange emails within or outside of the company may include racial and sexist jokes, sexually explicit content, and other material that may be deemed offensive by the recipients of these emails. This activity opens the company to massive legal liabilities if employees file lawsuits because they feel harassed or offended by these emails. An IT security policy (and its enforcement) will weed out offenders and hold up as a tight defense in a court of law as the company can show that it did everything in its power to discourage offensive emails and resolve all related issues. 2. Third parties – When individuals and businesses (i.e. vendors, auditors, clients, investors, etc.) partner with you, they will probably want to know if you have an established IT security policy before they share their confidential information, such as bank statements, social security numbers, names, addresses, and other identity-specific information. For example, a clearing corporation offers all manner of finance processing and programming services for insurance companies, banks, and even government agencies. Naturally they have a stringent IT security policy to ensure none of those financial records were ever subject to phishing attacks. 3. Compliance with Govt & local legislation – Finally, companies create IT security policies to meet the standards and regulations of government laws on the protection of electronic information. On a slightly unrelated note, if your IT security policy contains a section on monitoring employee corporate and personal emails, clearly inform your employees that IT will monitor all inbound and outbound emails. If employees don’t know that their emails are being monitored and then come under scrutiny for a suspicious email, they may file a lawsuit against the company for invasion of privacy. To protect the company against this type of litigation, make them aware of your IT security and email policies through informational sessions and training. Doing so will place the responsibility of compliance on their shoulders and reduce the risk of unethical activity. Most full IT security plans would include the following nine policy topics: 1.Acceptable Use Policy Since inappropriate use of corporate systems exposes the company to risk, it is important to specify exactly what is permitted and what is prohibited. The purpose of this policy is to detail the acceptable use of corporate information technology resources for the protection of all parties involved. The scope of this policy includes any and all use of corporate IT resources, including but not limited to, computer systems, email, the corporate network, and the corporate Internet connection. For example, Annese's Acceptable Use policy outlines things like email use, confidentiality, social media and web browsing, personal use, and how to report security incidents. Your Acceptable Use Policy should be the one policy everyone in your organization acknowledges via signature that they have read and understand. 2.Confidential Data Policy Confidential data is typically the data that holds the most value to a company. Often, confidential data is valuable to others as well, and thus can carry greater risk than general company data. For these reasons, it is good practice to dictate security standards that relate specifically to confidential data. This policy would detail how confidential data should be handled, and examples of what your organization deems confidential. 3.Email Policy Email is an essential component of business communication; however it does present challenges due to its potential to introduce security threats to the network. Email can also have an effect on the company's liability by providing a written record of communications. Your email policy would detail your organization's usage guidelines for the email system. This policy will help the company reduce risk of an email-related security incident, foster good business communications both internally and externally, and provide for consistent and professional application of the company's email principles. The scope of this policy includes the company's email system in its entirety, including desktop and/or web-based email applications, server-side applications, email relays, and associated hardware. It covers all electronic mail sent from the system, as well as any external email accounts accessed from the company network. 4.Mobile Device Policy A more mobile workforce is a more flexible and productive workforce. For this reason, business use of mobile devices is growing, and as these devices become vital tools to conduct business, more and more sensitive data is stored on them, and thus the risk associated with their use is growing. This policy covers any mobile device capable of coming into contact with your companies' data. 5.Incident Response Policy A security incident can come take many forms: a malicious attacker gaining access to the network, a virus or other malware infecting computers, or even a stolen laptop containing confidential data. A well thought-out Incident Response Policy is critical to successful recovery from a data incident. This policy covers all incidents that may affect the security and integrity of your company's information assets, and outlines steps to take in the event such an incident occurs. 6.Network Security Policy Everyone needs a secure network infrastructure to protect the integrity of their corporate data and mitigate risk of a security incident. The purpose of a specific network infrastructure security policy is to establish the technical guidelines for IT security, and to communicate the controls necessary for a secure network infrastructure. This policy might include specific procedures around device passwords, logs, firewalls, networked hardware, and/or security testing. 7.Password Policy The easiest entry point to building your security policy, a password policy is the first step in enabling employees to safeguard your company from cyberattack. (Annese is sharing our own password policy as part of the template to get you started here.) Passwords are the front line of protection for user accounts. A poorly chosen password may result in the compromise of your organization's entire corporate network. This policy would apply to any person who is provided an account connected to your corporate network or systems, including: employees, guests, contractors, partners, vendors, etc. 8.Physical Security Policy The purpose of this policy is to protect your company’s physical information systems by setting standards for secure operations. In order to secure your company data, thought must be given to the security of the company's physical Information Technology (IT) resources to ensure that they are protected from standard risks. This policy would apply to your organization's company-owned or company-provided network devices as well as any person working in or visiting a corporate office. 9.Wireless Network and Guest Access Policy Every organization should have a wireless policy that would likely need to include your guest access requirements. Wireless access can be done securely if certain steps are taken to mitigate known risks. Guest access to the company's network is often necessary for customers, consultants, or vendors who are visiting company offices. This may simply take the form of outbound Internet access, or the guest may require access to specific resources on the company's network. Therefore, guest access to the company's network must be tightly controlled. This policy would outline steps the company wishes to take to secure its wireless infrastructure. These policies would cover anyone who accesses the network via a wireless connection, guest included.
I want to start by saying that a cookie-cutter approach to developing an IT security policy doesn’t exist. Every organization varies in its business practices and protocols, so one IT security policy won’t fit the needs of every organization. An IT security policy should be a customized document that accurately represents a specific business environment and specifically meets its needs. Don’t model your IT security policy exactly on Google’s or Apple’s IT security policies because what works for them might not work for you. An IT security policy is essentially a written strategy (plan) that covers the implementation of Information Security methods, technologies, and concepts. This policy offers overarching guidelines for company security procedures without precisely stating how the data will be protected. Some freedom is provided for IT managers to decide which electronic devices, software, and methods would be best to implement policy guidelines. An IT security policy shouldn’t explicitly state which vendors and technologies should be utilized. The basic purpose is to establish ground rules and parameters used to then work out more specific data security practices. The policy should encompass all of its mission-critical data and electronic systems – including the internet, email, computer networks, and so forth. Further, three vital points need to be considered when devising a corporate IT security policy: the confidentiality of sensitive mission-critical information the availability of this information the protection of information from destruction (think viruses, worms, Trojans), internal misuse and abuse. The Top 3 Reasons for a Corporate IT Security Policy An IT security policy provides a launching pad for further IT security procedures, a basis for consistent application, and a stable reference guide for IT security breaches when they do occur. Rather than throwing this policy on the shelf to collect dust, use it to ensure that your corporate data remains secure and exact appropriate penalties when it’s not. Below are three additional ways that an IT security policy may prove beneficial: 1. Corporate legal liability – When an IT security policy explicitly states how and when to use email, the internet, electronic devices, and computer networks how sensitive corporate data should be handled and the correct use of passwords and encryption, your threat of exposure to malware and confidential data leaks will decrease markedly. Emails – personal and corporate – will inevitably make an organization vulnerable to (spear) phishing attacks, viruses, and other malicious software. Employees who exchange emails within or outside of the company may include racial and sexist jokes, sexually explicit content, and other material that may be deemed offensive by the recipients of these emails. This activity opens the company to massive legal liabilities if employees file lawsuits because they feel harassed or offended by these emails. An IT security policy (and its enforcement) will weed out offenders and hold up as a tight defense in a court of law as the company can show that it did everything in its power to discourage offensive emails and resolve all related issues. 2. Third parties – When individuals and businesses (i.e. vendors, auditors, clients, investors, etc.) partner with you, they will probably want to know if you have an established IT security policy before they share their confidential information, such as bank statements, social security numbers, names, addresses, and other identity-specific information. For example, a clearing corporation offers all manner of finance processing and programming services for insurance companies, banks, and even government agencies. Naturally they have a stringent IT security policy to ensure none of those financial records were ever subject to phishing attacks. 3. Compliance with Govt & local legislation – Finally, companies create IT security policies to meet the standards and regulations of government laws on the protection of electronic information. On a slightly unrelated note, if your IT security policy contains a section on monitoring employee corporate and personal emails, clearly inform your employees that IT will monitor all inbound and outbound emails. If employees don’t know that their emails are being monitored and then come under scrutiny for a suspicious email, they may file a lawsuit against the company for invasion of privacy. To protect the company against this type of litigation, make them aware of your IT security and email policies through informational sessions and training. Doing so will place the responsibility of compliance on their shoulders and reduce the risk of unethical activity. Most full IT security plans would include the following nine policy topics: 1.Acceptable Use Policy Since inappropriate use of corporate systems exposes the company to risk, it is important to specify exactly what is permitted and what is prohibited. The purpose of this policy is to detail the acceptable use of corporate information technology resources for the protection of all parties involved. The scope of this policy includes any and all use of corporate IT resources, including but not limited to, computer systems, email, the corporate network, and the corporate Internet connection. For example, Annese's Acceptable Use policy outlines things like email use, confidentiality, social media and web browsing, personal use, and how to report security incidents. Your Acceptable Use Policy should be the one policy everyone in your organization acknowledges via signature that they have read and understand. 2.Confidential Data Policy Confidential data is typically the data that holds the most value to a company. Often, confidential data is valuable to others as well, and thus can carry greater risk than general company data. For these reasons, it is good practice to dictate security standards that relate specifically to confidential data. This policy would detail how confidential data should be handled, and examples of what your organization deems confidential. 3.Email Policy Email is an essential component of business communication; however it does present challenges due to its potential to introduce security threats to the network. Email can also have an effect on the company's liability by providing a written record of communications. Your email policy would detail your organization's usage guidelines for the email system. This policy will help the company reduce risk of an email-related security incident, foster good business communications both internally and externally, and provide for consistent and professional application of the company's email principles. The scope of this policy includes the company's email system in its entirety, including desktop and/or web-based email applications, server-side applications, email relays, and associated hardware. It covers all electronic mail sent from the system, as well as any external email accounts accessed from the company network. 4.Mobile Device Policy A more mobile workforce is a more flexible and productive workforce. For this reason, business use of mobile devices is growing, and as these devices become vital tools to conduct business, more and more sensitive data is stored on them, and thus the risk associated with their use is growing. This policy covers any mobile device capable of coming into contact with your companies' data. 5.Incident Response Policy A security incident can come take many forms: a malicious attacker gaining access to the network, a virus or other malware infecting computers, or even a stolen laptop containing confidential data. A well thought-out Incident Response Policy is critical to successful recovery from a data incident. This policy covers all incidents that may affect the security and integrity of your company's information assets, and outlines steps to take in the event such an incident occurs. 6.Network Security Policy Everyone needs a secure network infrastructure to protect the integrity of their corporate data and mitigate risk of a security incident. The purpose of a specific network infrastructure security policy is to establish the technical guidelines for IT security, and to communicate the controls necessary for a secure network infrastructure. This policy might include specific procedures around device passwords, logs, firewalls, networked hardware, and/or security testing. 7.Password Policy The easiest entry point to building your security policy, a password policy is the first step in enabling employees to safeguard your company from cyberattack. (Annese is sharing our own password policy as part of the template to get you started here.) Passwords are the front line of protection for user accounts. A poorly chosen password may result in the compromise of your organization's entire corporate network. This policy would apply to any person who is provided an account connected to your corporate network or systems, including: employees, guests, contractors, partners, vendors, etc. 8.Physical Security Policy The purpose of this policy is to protect your company’s physical information systems by setting standards for secure operations. In order to secure your company data, thought must be given to the security of the company's physical Information Technology (IT) resources to ensure that they are protected from standard risks. This policy would apply to your organization's company-owned or company-provided network devices as well as any person working in or visiting a corporate office. 9.Wireless Network and Guest Access Policy Every organization should have a wireless policy that would likely need to include your guest access requirements. Wireless access can be done securely if certain steps are taken to mitigate known risks. Guest access to the company's network is often necessary for customers, consultants, or vendors who are visiting company offices. This may simply take the form of outbound Internet access, or the guest may require access to specific resources on the company's network. Therefore, guest access to the company's network must be tightly controlled. This policy would outline steps the company wishes to take to secure its wireless infrastructure. These policies would cover anyone who accesses the network via a wireless connection, guest included.
No comments:
Post a Comment