Security Policies Every Company Should Have
An Introduction to Creating Effective Security Policies
Written policies are essential to a secure organization. Everyone in a company needs to understand the importance of the role they play in maintaining security. One way to accomplish this - to create a “security culture” - is to publish reasonable security policies. These policies are documents that everyone in the organization should read and sign when they come on board. In the case of existing employees, the policies should be distributed, explained and - after adequate time for questions and discussions - signed.
This article will introduce you to six policies that every organization should consider adopting. The specific policies that you implement, as well as the amount of detail they contain, will change as a company grows. Certainly, an organization with two employees has different security concerns than an organization of thousands. This list addresses both physical and information security issues and is meant to provide a starting point for assessing your particular security needs.
The dangers of internet access include downloading malicious software such as viruses, spyware, or Trojans. An Internet Usage policy should address whether or not employees are allowed to use company computers for personal use, and whether or not software may be downloaded by anyone other than a system administrator. You should also consider whether or not Instant Messaging may be used during company time and/or on company equipment.
Email and social networking have created their own category of security concerns. These technologies make it very simple to disseminate information. And once that information leaves your building, it can rarely, if ever, be recalled. Your email policy should address appropriate content for company emails and social media pages. Assume that nothing will stay private on the internet. Content that includes off-color humor and images may damage your company’s image, and revealing confidential information may imperil your security.
Unlike an electronic access device, mechanical keys can be duplicated and used without leaving a trail. Your key control policy should include a means to track who is currently holding mechanical keys and who has permission to duplicate those keys. For a more in-depth look at this critical policy, you can read my article, Don’t Ignore Key Control.
PDA/Mobile Device Security
You don’t have enough fingers to plug all the leaks that a mobile device can punch in your security dike. A modern mobile phone can store sensitive information as well as provide an access point into your network. If you are using PDAs or mobile devices, then you should address issues such as data encryption and password policies. For an in-depth look at a popular mobile device, you can read my article, Protecting Your BlackBerry.
An unauthorized or unescorted visitor can be a physical threat and can also steal sensitive information. If possible, steer all visitors into a controlled entry point, be it a gate or receptionist’s desk. When writing your policy, decide whether visitors should be escorted at all times, or only in certain areas. Requiring visitors to wear a badge and sign in and out should also be considered. If your visitor management policy is communicated clearly, employees can more easily serve as your eyes and ears as they will feel more comfortable approaching or reporting a suspicious individual.
This policy will touch on email, social media, verbal communication, and any other means of sharing information. You need to make sure that employees understand what information they may and may not pass on.
One key to creating effective policies is to make sure that they are clear, and as easy to comply with as possible. Policies that are overly complicated only encourage people to bypass the system. Don’t make employees feel like inmates. Communicate the need, and you can create a culture of security.
There is always a trade-off between security and convenience. You would like to board a plane without going through the TSA checkpoint, right? But how comfortable would you be knowing that no one else on the plane had gone through security either? The policies described in this article will help to ensure that you and your employees are protected.