The most difficult part of creating a Security Policy for your business is determining what, exactly, to include in it. Never heard of a Security Policy before? You're not alone. But whether you are the only employee in your company or you have a small staff working for you, you need to learn what a Security Policy is, and then you need to create one.
In much the same way that a personnel policy informs employees of things like vacation time accrual, performance review schedule and other personnel-related issues, a Security Policy informs your employees of the steps that are necessary to keep your company's network and computers secure. The policy is your company's rules and regulations that are enforceable, under law if necessary, if breached.
A Security Policy will include rules and formal procedures that are clearly written and laid out. But most importantly, the information contained must be easy for employees of all levels to understand.
And just as it is with young children, the content of your Security Policy must be enforceable, and it must be enforced consistently. Saying in writing that something is not allowed, then allowing it to happen during regular work hours sends mixed messages to your employees. They won't know what really is right or wrong, which will defeat the whole point of your Security Policy. Inconsistent implementation also leaves you open to legal liability.
Like any good policy, your Security Policy should be regularly updated to reflect today's rapidly-changing business environment. Most of the time, you will be the person making these changes. However, if your company is growing and adding staff, this may not always be the case. Make sure the person responsible for updating your company's Security Policy has guidelines and boundaries, and most of all, make sure you read and approve any changes made by someone else.
Make presenting your Security Policy part of your new employee orientation procedure. Make sure every employee reads the policy, signs and dates a document certifying that it has been read, and then keep the signed and dated certification in their respective personnel folder. And every time that your Security Policy is updated, make every employee read it again, and sign and date a document stating that they have read the changes.
The types of topics you may want to cover in your company's Security Policy include but are not limited to:
* What can be loaded onto an employee's computer from floppy disk or CD
* What personal business, if any, can be conducted on the company computer
* Which files or company information is allowed to leave the internal network or is allowed to be sent out over the Internet
* Who is allowed to install new software and software upgrades onto the system, and equally important, who is not allowed to do this
* A password management and password change policy which includes the acceptable length of passwords. Provide examples of permissible/non-permissible passwords. Examples of non-permissible passwords might include date of birth, names of pets, nicknames, childrenĄ¯s names, etc.
* Who's allowed remote access to your network from off-site
* Policies for locking keyboard or using password protected screensavers when an employee's PC is left unattended
* Who is allowed to attach their laptop or other portable computing device to the network and what information they are allowed to upload/download
* Guidelines for vendors and other visitors who may need access to your network while they are on-site.
Whether you have one PC or several networked together, you have a lot of money invested. Protect this critical business asset with an iron-clad Security Policy.
