Writing a corporate security policy might seem complex, but ultimately it is a collection of many small policies. By writing each of the essential sub-policies from this list, you are well on your way to creating (updating or revising) a corporate security policy.
From firewalls, to backup, to personnel management, these are 10 common essential security policies your organization needs yesterday.
There are hundreds of sub-policies that a company eventually needs to construct in order to fully address and manage the security concerns of the organization. The focus on these ten does not imply that other policies are any less essential.
This is an article not an exhaustive treatise, and the goal is to spur action toward writing or improving security guidelines. These ten security policies (or sub-policies) are essential to every organization, regardless of size, location, age, mission, or the product or service produced, and are presented here (in no particular order).
1. Acceptable Use Policy
The Acceptable Use Policy (AUP) defines what are and are not an allowed activities on company premises, with company equipment, and when using company resources.
It often defines actions that are specifically prohibited, such as accessing pornography, pirated content, or running a side-business. These prohibitions are enforced with consequences in the event an employee is found in violation.
The AUP can also define activities that are allowed within reason or within specific boundaries. For example, it may be acceptable to surf the Internet, participate in chat and e-mail conversations, and even play games up to 10 minutes per hour, as long as it does not interfere with accomplishing work tasks.
The goal of the AUP is to guide employees toward working productively without burning out or putting the organization at risk due to risky or non-business behaviors. Employees should focus on work tasks while at work. Some downtime and distraction is expected, even necessary, but abusing Internet access to the detriment of work assignments is a choice and has consequences.
When privacy protection is legally mandated, a company must enforce and protect privacy in compliance with the regulations. Some organizations choose to grant additional privacy beyond that mandated by law.
This policy defines what information is collected, what information is not collected, what can or cannot be disclosed, to whom information may be disclosed, and for what purposes the data was collected.
3. Password Policy
The password policy is directed toward improving the security of passwords. If the policy addresses topics beyond just passwords, it could be re-branded as an authentication policy.
A password policy defines the minimum length of a password, the types of characters allowed or required in the password, minimum and maximum age of the password, and the prevention of password re-use.
The password policy might also include account lockout parameters that define the number of unsuccessful logon attempts granted before an account is temporarily or permanently disabled.
The password policy might also prescribe that password auditing or cracking be performed as a security assessment in order to discover weak passwords. Users should be trained on how to select more secure passwords.
This would include selecting longer passwords and focusing on passphrases rather than individual words.
4. Disposal and Destruction Policy
The disposal and destruction policy defines when and how to get rid of stuff. There is always waste to be disposed of in every organization. Whether coffee grounds, sensitive printed documentation, or old storage devices, there needs to be a plan other than just tossing it in the bin.
Dumpster diving is a serious threat to security. Anything thrown away can be collected and examined by outsiders. Assume everything thrown out is obtained by your competitors, your enemies, and the government. With this in mind, define a procedure to properly dispose, destroy, and/or recycle everything.
Shredding and incineration are often solutions for both printed materials and storage devices. However, in today's green culture, companies seek to "zeroize" and re-use or recycle equipment whenever possible. (Note: to zeroize is to low-level format a storage device so that every single bit is reset to a zero value. This prevents all known concepts of data remnant recovery.)
Global Knowledge is the worldwide leader in IT and business skills training. We deliver via training centers, private facilities, and the Internet, enabling our customers to choose when, where, and how they want to receive training programs and learning services.