When interviewing clients as part of our IT audit process, we frequently discover that technology policies are concerning as they are outdated or simply nonexistent.  This typically happens when there is a lack of proficient security and compliance personnel or simply because no one is assigned such a role.

For many of us, policy writing instantly evokes images of lengthy paperwork and long hours.  However, they form a vital framework for managing IT security and strengthening compliance within your organization. Two points to remember about writing policies: (1) policies don’t have to be long and drawn out. They actually are more likely to be followed when they are written in a clear and concise manner as staff will be able to better retain the information. And (2) they should always be specific to your business and cover the unique needs, goals, and people within it.

Six policies that you should establish if you haven’t already are:

  1. Acceptable Use Policy– outlines who has access to what (files, applications, other computers & networks, remote access etc.), password responsibility, communication of confidential information, and more.
  2. Information System Security– intended to identify the security point of contact individual and their responsibilities, along with policies directed at access controls, user-IDs and passwords, and password policies (such as number of characters, etc.).
  3. Business Continuity Plan (BCP)– as it relates to IT, a BCP is essential to mitigating risk to your data and stakeholders. A solid plan will address how, what, who, and when. Bear in mind that a strategy should already be applied to system backups (types of backups, medium(s) used for backups, what is backed up, etc). Your BCP should indicate expectations surrounding recovery of data and how it will be achieved. Incident response policies should also be contained within the plan, defining how teams will handle and report incidents. This might include training, detailing communication outlets, and so forth.
  4. Remote Access– to minimize your company’s exposure to threats, policies must be developed regarding who has access and what rules govern how they use it.
  5. Bring Your Own Device (BYOD)– if your business permits employee use of personal devices for company purposes,  a policy to regulate how they access and use company resources is imperative.  The policy should also cover what procedures should occur in the event of a lost or stolen device.
  6. Security Awareness– the goal of this policy is to make certain employees are advised and well-versed about potential security risks- such as latest malware threats, social engineering tactics, and the importance of detecting and identifying risks.

The following free policy templates are available to get you started:

https://www.sans.org/security-resources/policies