We all have an understanding of what is “acceptable” and what is not, or do we? That is the main purpose behind developing a policy that your staff can use as a resource to clearly understand what your company deems acceptable.
Having an effective security plan requires team effort. Everyone needs to be involved and supports the protection of information and/or information systems. It is the responsibility of everyone on the team to know and implement the guidelines.
Over the years, we have seen a lot of small companies (usually less than 10 employees) ignore this altogether. Unfortunately, this creates a situation where sooner or later trouble arises and we are called in to do remediation on the network or to recover data that could have easily been prevented by a simple, clear policy.
So what should be in your policy? Most policies start with an explanation and definition of systems, culture, security and inviting the team to be a part of it. Then you have the purpose of what the policy is trying to accomplish. The scope of who the policies apply to, usually follows. After scope, the general use and ownership of company assets is clearly defined.
- What is company information and who owns the data store on the network.
- What do users have access to, responsibilities, reporting procedure.
- What is good judgment.
- What the company can do, monitoring the network.
Then, some policies define minimum standards on passwords, access, posting on intranet and email, web use and what to do if they are going to step away from their system for more than a few seconds (lock the system, logoff, etc.).
Some companies then define what Unacceptable use means to their staff. This is where management can get very specific on what can lead to termination.
While it can be daunting to develop policies for your team, it is well worth the time and effort. Policies are the first thing that an auditor usually asks for, mainly because it shows whether management has taken steps to be responsible and organized. A business that scrambles to provide policies usually raises red flags. Many auditors will dig deeper if they see that a business does not have policies in place.
For more information, you can contact us at 512-336-2970 or via email for a quick conversation to see how we can be a resource.
Luis Delgado is a father, husband, community resource, speaker, and entrepreneur who founded The Critical Update, inc (TCUINC) in 2003. TCUINC is a technology consulting firm that has evolved from basic computer support to affordable technology consulting, network management, outsourced IT and cybersecurity. Our clients come from every industry in Central Texas.
Luis is a certified HIPAA professional and is focused on helping business owners create more jobs for Texas families.