The security policy that is in place within your organization is meant to keep your data, personnel, and reputation safe. By having effective security policies in place, security can be better enforced throughout the entire organization
In this blog post, we are going to outline the various components that you should include in your IT security policy. We will explain each section, and try to give you examples of how you should protect the various moving parts of your business and technology ecosystem.
What to Include in your IT Security Policy
As with any contract, the first thing that should be made clear in your written security policy is what you intend to accomplish by creating and enforcing a security policy. The Scope should outline specifics such as all information, systems, facilities, programs, data, networks, and users that are subjected to the security policy.
Roles and Responsibilities
An absolutely requirement to include in your IT security policy is the outlining of roles and responsibilities. Essentially, you need to outline whom within the organization is responsible for the implementation, education, enforcement, and periodic updates of the program.
The roles that should be outlined generally are assigned to IT staff and management, though other various owners could be defined as well. Independent responsibilities could be assigned to end-users as well, such as reporting of witnessed violations or concerns.
Reference Relevant Documentation
If the IT security policy has supporting documentation, you should supply that information in the policy document. This will allow for any questions that exist around that reference to be able to be followed up on by employees.
Common examples of documentation references that you might need to include in your IT Security Policy are:
Reference to Other Company Documents
Several company documents are commonly referenced in an IT security Policy Document. These often include:
- Employment Contract
- Contractor/ Affiliate Contract
- HR documents
Reference to Relevant Legislation
For many organizations, items that are outlined in the IT Security Policy directly relate to regulatory compliance regulations that are in place. Some examples of these legislation-based regulatory guidelines are:
- The Sarbanes-Oxley Act of 2002 (SOX)
- The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- The “Do Not Call” List
- The “Can-Spam Act” of 2003
- The Gramm-Leach-Bliley Act of 1999
Threat & Risk Assessment
A thorough assessment of what risks could create vulnerabilities within your organization is an absolute must to include in your IT security policy. The purpose of listing the threats and risks that are facing your organization is that the IT Security Policy should aim to fix each of them.
The risks that are covered in your assessment may include one or more of the following:
- Physical Loss of Data: Lost or Stolen computer, storage device, or infrastructure
- Unauthorized access to your own data and client or customer data
- Interception of Data in transit
- Data Corruption
Network Security Policies
Because networks are often the most vulnerable to both internal and external threats, network security policies often end up being the largest category that you will include in your IT security policy documentation.
- Firewall Policies
- Remote Access Policies
- “personal equipment that is used to connect to company-owned internal networks via remote access must meet the requirements of company owned equipment”
- Router and Switch Security Procedures
- Access List Stipulations
- Installation of Devices on the Network
- Network Monitoring, Logging, and Intrusion Detection
- Backup Policies
- Server Security
- “Servers must be physically located in an access-controlled environment”
- Virtual Private Network (VPN) Policies
System policies will help you to include policies that are aimed at protecting individual applications, workstations, and users. By focusing on the systems individually, you can more effectively implement security in all phases of a system’s lifetime through development, implementation, maintenance, and disposal. You should aim to define policies for all mission-critical operating systems and servers. Consider which systems should be running on which networks, and how these policies will be monitored.
- Email Usage Policies
- “Email must be used for business related emails only”
- “Any information that is contained in the emails is subject to copyright enforcement by Orion”
- Internet Policies
- Anti-Virus Requirements
- Social Media Control Policies
- Workstation Policies
- “Computers must require logging in and be in idle mode after 10 minutes”
- Mobile Computing Devices
- Portable Data Storage
- Patching & Update Policy
- BYOD Policy
- “All personal devices that contain company information must follow the same security guidelines as company controlled devices”
Identity & User Management
Identity and User Management controls should aim to protect each individual user. This section will focus in large part on access management, which should be determined by business requirements and user needs.
- Who is covered by the Identity Management Controls – Are Contractors and Employees Credentialed Separately?
- What Authentication Methods will be put into place
- Password Protocols – Including guidelines for creating a strong password and controlling the security of that password after creation. For more suggestions around creating secure passwords, check out our blog post.
- “All passwords must be changed on at least a quarterly basis”
- “Password cracking or guessing may be performed on a periodic or random basis by the Infosec team or their delegates in order to ensure compliance”
Physical security covers a wide range of policies that control the physical access to offices, server rooms, and other resources that may be deemed appropriate. This covers an extremely diverse range of topics and requirements, many of which may fall outside the standard parameters of an IT professional’s job description. However, it is important to remember that no organization is secure unless the physical location is also protected from an attack. Some of the items that are outlined in this section would include:
- Physical access to the general office
- Are keycards required? Can contractors be given individual access? Are their specific rooms, such as a server room, which need individual access or keys and shouldn’t be accessible by the employee population as a whole?
- How visitors will be handled
- Will they be required to be signed in?
- Shipping and inventory management procedures
- Who is authorized to sign for packages?
- Additional security measures
- Will you require security cameras? How about an after-hours security guard?
- Ensure that the office is in compliance with various fire, safety, and building codes
Behavior/ Acceptable Use Policy
The Behavior and Acceptable Use Section should outline various items that should be included in your IT Security Policy that might not be specifically outlined in the other sections of the document. Some examples of acceptable use guidelines are:
- Cannot use company resources to conduct any sort of illegal activity
- Cannot circumvent the protocols put in place by IT or Management that are intended to increase security and accountability
Outlining how you intend to update, monitor, and audit your IT Security Policies is a key component of a successful implementation.
The first and most important component of this audit structure is to be able to see which employees have read and verified that they understand the constraints of this agreement. This audit trail should reference the specific version of the policy, the date of acknowledgement, and the users signature.
Incident handling guidelines should be in your IT Security Policy so that knowing how to react when an incident occurs. This section will be very closely tied to your organization’s business continuity or disaster recovery plan, though it may not be as thorough. This should include:
- How to evaluate a security incident
- How the incident should be reported
- How a problem should be eradicated
- What key personnel should be involved in this process
Another important component of the Incident Handling section is how noncompliance with the IT Security Policy will be dealt with. This section may include:
- Verbal/ written warnings
- Revocation of access privileges
- Disciplinary probation
- Criminal prosecution
You must also include in your IT Security Policy expectations and instructions regarding initial and ongoing training for your employees. Training should be provided on different levels for different members of the security program, from end users to c-level management.
Hopefully in this blog we have given you a good list of policies that you should include in your IT Security Policy document. Security policies are crucial to protecting your data, business, and employees from threats, both internal and external. Putting together an IT Security Policy is not something that should be rushed or brushed off. Thorough preparation and documentation is the only way to ensure that the security program will be effective upon implementation.
Do you have concerns over how to prepare your IT Security Policy? Contact our award winning security experts today to see how we can help!