Written information security policies are essential to organizational information security. This holds true for both large and small businesses, as loose security standards can cause loss or theft of data and personal information. Written policies give assurances to employees, visitors, contractors, or customers that your business takes securing their information seriously.
Information security policies are written instructions for keeping information secure. Policies should include guidance on passwords, device use, Internet use, information classification, physical security—as in securing information physically—and reporting requirements.
Developing a password and personal identification number policy helps ensure employees are creating their login or access credentials in a secure manner. Common guidance is to not use birthdays, names, or other information that is easily attainable.
Proper methods of access to computers, tablets, and smartphones should be established to control access to information. Methods can include access card readers, passwords, and PINs.
Devices should be locked when the user steps away. Access cards should be removed, and passwords and PINs should not be written down or stored where they might be accessed.
Assess whether employees should be allowed to bring and access their own devices in the workplace or during business hours. Personal devices have the potential to distract employees from their duties, as well as create accidental breaches of information security.
As you design policies for personal device use, take employee welfare into consideration. Families and loved ones need contact with employees if there is a situation at home that requires their attention. This may mean providing a way for families to get messages to their loved ones.
Procedures for reporting loss and damage of business-related devices should be developed. You may want to include investigation methods to determine fault and the extent of information loss.
Internet access in the workplace should be restricted to business needs only. Not only does personal web use tie up resources, but it also introduces the risks of viruses and can give hackers access to information.
Email should be conducted through business email servers and clients only unless your business is built around a model that doesn't allow for it.
Many scams and attempts to infiltrate businesses are initiated through email. Guidance for dealing with links, apparent phishing attempts, or emails from unknown sources is recommended.
Develop agreements with employees that will minimize the risk of workplace information exposure through social media or other personal networking sites, unless it is business-related.
Encryption and Physical Security
You may want to develop encryption procedures for your information. If your business has information such as client credit card numbers stored in a database, encrypting the files adds an extra measure of protection.
Key and key card control procedures such as key issue logs or separate keys for different areas can help control access to information storage areas.
If identification is needed, develop a method of issuing, logging, displaying, and periodically inspecting identification.
Establish a visitor procedure. Visitor check-in, access badges, and logs will keep unnecessary visitations in check.
Security Policy Reporting Requirements
Employees need to understand what they need to report, how they need to report it, and who to report it to. Clear instructions should be published. Training should be implemented into the policy and be conducted to ensure all employees understand reporting procedures.
Empower Your Team
One key to creating effective policies is to make sure that the policies are clear, easy to comply with, and realistic. Policies that are overly complicated or controlling will encourage people to bypass the system. If you communicate the need for information security and empower your employees to act if they discover a security issue, you will develop a secure environment where information is safe.