Processes and procedures are a must for companies if they want to scale. Most companies catch on to this at some point during their development, and some of the first areas of policy writing in smaller companies tend to center around the product or service central to the company or the administrative aspects of the organization. But, policies relating to technology (particularly those that are security related) are often overlooked. So, if you are one of the many companies that don’t know where to start with this, here are three security policies that will get you going and, when followed, will go a long way to keeping your business secure.
PASSWORD POLICY
Initially, employees (and business owners alike) may find a password policy frustrating, particularly if your current environment is lax about passwords — for example, everyone knows the server administrator password (that example was stressful just to type). Unfortunately, this is why the need for a policy is so critical. Humans tend toward the easiest path, including sharing passwords and creating passwords that are easy to crack. Set a policy that includes strong passwords and frequent password changes and also prohibits password sharing.
BRING YOUR OWN DEVICE
Let’s say you have an employee who uses and stores company information on a personal laptop or phone. You release them to industry. Your data may just walk out the door with them, and with no policy governing how company data is handled on personal equipment, the recourse available to you may be limited. You also don’t control what your employee does with the personal devices. An employee who gets the CryptoLocker virus on a personal machine that also contains company data could cause serious issues for a business. Put a policy in place that protects your company’s data and provides guidelines regarding how it is accessed, where it is stored and what happens to that data if it is on a personal device should there be a termination.
Should you not use personal devices, you still need guidelines regarding how employees use company devices to store and manage data and for personal use (if you allow this at all).
INTERNET USAGE
Let’s face it. The Internet is the Pandora’s box of technology security woes. It is a tool most businesses rely on and it is arguably their biggest security threat. It is wise to have a policy that governs how employees interact with the Internet. Are they allowed to check their personal email? Can they download applications, music or games? Are certain websites or types of websites off-limits? Spell it out so ignorance can’t be claimed later. Setting the right limits can
avoid costly security breaches and repairs that may result from accessing the wrong site or downloading the wrong program.
These are just a starting place. Your business likely needs other policies such as an email policy or remote access policy. For free examples of security policies that you can download and customize to your business, visit the free resources section at www.Sans.org. You will want to be sure to communicate the policies you implement thoroughly to your team. And of course, consult with your technology provider to help you design, implement and enforce these policies after they are in place.