When it comes to security, a clear and encompassing Security Policy is vital to an organization’s health and protection. It gives employees and executives a framework for understanding your company’s attitude toward security.
What is a Security Policy?
A Security Policy is a document that spells out the do’s and don’ts of how your company approaches security. It includes rules for employees as well as for digital/physical systems such as login screens and routers. Examples of the kinds of rules you might find in a security policy:
- Employee Exit policy, such as a mandate that an employee turn over both company-supplied and personal digital items (such as a cell phone) before leaving so IT personnel can ensure no sensitive information is leaving the company.
- Rules regarding the use of thumb drives brought in from outside the company, to guard against viruses being introduced into the network.
- Behavior of any login screens your Development department creates, for example two-factor authentication, required length/strength of passwords, or lockout after three failed attempts.
- Rules and penalties for behaviors that might compromise company security, such as browsing confidential financial reports while on a public network at a coffee shop.
- Protection of servers, for example disallowing remote login to the onsite server.
Tripwire has a great article on Security Policies here.
What is the purpose of a Security Policy?
A Security Policy has several purposes.
- To make sure executives and Board members are on the same page with regard to your company’s approach to security.
- To inform employees of what is and isn’t acceptable with regard to security.
- To give Development and IT clear guidelines when designing infrastructure and user interfaces.
- To give HR clear guidelines on how to proceed with Exit Interviews and disciplinary actions.
- To aid in legal recourse when the policy is breached.
Isn’t a Security Policy long and boring? Who’s going to read it?
You can think of a Security Policy as being in a similar category to an End User License Agreement (EULA). While not everyone will read the entire thing, it provides a company with both legal protection and a backbone on which to build more user-friendly explanations of relevant points.
The parts of the Security Policy that deal with routers, logins, etc. will be read avidly by the Development and IT teams, who are accustomed to reading technical documents.
For the parts that are geared toward other employees, such as policies about the use of personal devices or browsing while at Starbucks, additional materials can provide this information in an easy-to-read format. Training can also be provided to bring them up to speed on important skills such as how to create a very secure password that they don’t need to write on a sticky note posted on their monitors.
How do we make a Security Policy?
I work with you and your company to tailor a Security Policy that will protect your company while still allowing employees the access they need to do their jobs.
Contact me to find out more about how a Security Policy can help you.