No amount of technology will keep your business secure if there’s no overall company policy specifying how digital assets are to be protected. It should be part of the hiring procedure for every new employee (and contractor) that they read and acknowledge by signature their acceptance of this policy. It’s vital that every person using company computers and/or accessing company data understands the rules relating to the company’s digital assets.
The security policy is the glue that holds all the security layers together, and demonstrates the value and necessity of each layer. All layers, solutions, resources, acceptable use policies, and consequences for not following policy are defined by the computer security policy.
Security policies should also include:
- Standards to use when defining rules and actions or consequences to support the computer security policy goals and definitions. These standards may also provide specifications for acceptable solutions performance (sometimes called Service Level Agreements) and work together to provide a layered security solution.
- Guidelines that support the security policy’s objectives and administrative goals. It’s often helpful to have these guidelines mirror current best practices as they relate to the different security threats and recommended responses.
Because your business, and the security threats to your business, are in a constant state of flux, your security policy must be a living document that changes as the business, environment and technologies change. It should be reviewed and updated at least once a year to make sure all aspects remain applicable and current.
We understand that small businesses want to focus on keeping the business going and find it hard to see the value in creating a whole load of ‘what if’ documentation. That’s exactly why we’ve done the research for you and found the best resources available to help in this area.
Creating a Sustainable Security Policy:
The SANS (SysAdmin, Audit, Network, Security) Institute has created an invaluable site that’s specifically designed to help businesses get started with a security policy. There are primers and templates to help you hit the ground running. Good luck, stay safe and let us know if we can help in any way.
If you want to delve deeper into security policy design and creation, check your local bookstore or Amazon.com for books by Charles Cresson Wood, who’s been developing computer security policies for businesses large and small for twenty years.