Many businesses, especially smaller ones, have a blind spot when it comes to security and risk management, especially when it comes to internal policies. While there are ample technology solutions available to deal with the threat landscape to protect data and system uptime, there is no technology solution that will completely address the risks posed by irresponsible end user behavior. There are also limits on what technology investments most organizations can make, so it’s important to get the best return on investment on your risk management tools and efforts. Strong policies that are well understood by staff are often the least expensive and most effective ways to avoid costly IT challenges.
Data Compliance standards also demand internal policies as well as the technical controls, so even if you think the policies aren’t worthwhile, it’s possible that you still need to create them. In this blog, I outline the IT policies that every organization needs in 2020. Hopefully, you have some of these in place already, but if not, I encourage you to use this blog as a jumping off point. Keep in mind as you read this that some organizations may call these policies different things, but the important part is that the goals of these polices are intact.
Now more than ever, in the age of remote working and COVID-19, you need to define for your staff the appropriate use of email. Fortunately, many of the rules that should be implemented regarding business email accounts are common sense concepts. A good email policy should define the difference between internal email communication and external communication to third parties like customers or partners. This should also extend to the use of personal email accounts with devices managed by the organization, including any expectations of privacy with email communication (or lack thereof).
A strong Email Policy will include:
- A statement of email ownership and privacy (i.e. state that the company owns and can view all data transferred via company email.)
- Usage guidelines regarding misuse and abuse.
- Email retention and backup policies that align to the company’s document management and legal requirements.
- Etiquette around the company’s preferred communications practices as well as what not to do.
- Company and network security policies and procedures, specifically around phishing.
- Consequences of breaching the email policy, including any disciplinary action.
- Staff awareness and acknowledgement of the policy.
Acceptable Use Policy
While an Email Policy speaks specifically to that kind of communication, it’s also important to have a general Acceptable Use Policy that applies to equipment, as well as other assets belonging to the organization such as data, copiers, printers, etc.
This policy should be broad and communicate the company’s philosophy around what individuals do with the tools provided to them. It is very hard to write a policy that speaks to every single piece of technology that a user might ever touch, but if you set the expectation of the kinds of behaviors are and are not acceptable, it puts the ball in the employee’s court when it comes to making the right decisions on a day to day basis.
An Acceptable Use Policy typically outlines:
- Specific rules around what is allowed and prohibited with company property.
- The scope of which situations the policy does and does not apply to.
- Consequences for breaking the rules.
Remote Access Policy
This policy has also become increasingly important as more people work from home during the pandemic. A good Remote Access Policy should first define what methods are acceptable for working remotely. It’s very important that as staff have the flexibility to work from home that they do so in a way that is managed and tracked. That can only be done by specifically defining what systems must be set up to accomplish this goal.
Other elements of this policy should include what devices can connect remotely, as well as expectations around the environment in which people connect remotely. For example, if you are dealing with sensitive information, it may be wise to dictate that users do not access this information in an area where eavesdropping can occur like a coffee shop or an airport terminal.
A Remote Access Policy will define:
- The methods of remote work that are and are not acceptable.
- What systems must be set up to allow for remote access.
- What devices are and are not allowed.
- Security protocols for working remote and dealing with sensitive information.
Sensitive Data Policy
Every organization has information that is proprietary. Sometimes this data has legal liabilities, such as Personally Identifiable Information (PII) or Controlled Unclassified Information (CUI), and you are required to protect this information due to compliance standards. But that may not be the only information that may be sensitive to your organization. You might want to apply special protections to other information like proposals, marketing information, trade secrets, personnel notes, and other information that you want to protect from intrusion or simply not lose.
While you can use this policy to define what you are doing from a security perspective to protect this data, a better way to think about the goals of this policy is to define to staff what the organization cares about protecting and why. It will also define what staff is allowed to do with sensitive data, like how they can transmit it to trusted third parties, where the data can be saved, and how to make sure this data is backed up.
It isn’t reasonable to expect your staff to protect your information, and by extension your business, unless you take the time to make clear what you are trying to protect and why. Just like the Acceptable Use policy, by defining the goals of the policy, end users can make informed decisions in real time as sensitive data challenges come to them directly.
Be Sure to Include in Your Sensitive Data Policy:
- What data the organization cares about protecting and why.
- How staff should transmit sensitive data to trusted third parties.
- Where sensitive data can and should be saved.
- How to make sure sensitive data is properly backed up.
Incident and Disaster Response Policies
Many organizations set up systems to respond to the inevitable challenges associated with technology such as system crashes or ransomware. However, your staff needs to understand what role they play in supporting the organization during an incident or disaster.
First, you should consider defining the difference between an incident and a disaster. An incident might be something as basic as a PC that no longer functions or a power outage at an office. However, a disaster could be a major ransomware attack, a break-in to the building, or even a fire or flood that cripples the organization’s ability to work. One way to look at it may be to say that incidents may not significantly impact the ability of the organization to continue operations, while a disaster could be far more serious and perhaps have legal or liability implications. Whatever you define it as in policy, it is important to clarify the differences, so as not to paint with too broad a brush.
Perhaps most importantly, these policies should define response teams. These teams should include people both within and outside of the organization, such as department managers, IT personnel or service providers, and possibly legal or financial assistance. Staff should know who to contact and what to do if they suspect that an incident or disaster is occurring, as well as what they should be doing during whatever remediation is required.
Another important part of these policies is to talk about post-event analysis. While not all incidents and disasters can be prevented through planning, it is possible that the organization can learn valuable information as a result of these events that they can use to harden their systems or workflows to reduce future risks.
Your Incident & Disaster Response Policy should:
- Define the difference between an ‘incident’ and a ‘disaster’.
- Identify your response teams, both within and outside of the organization.
- Include an emergency call tree for security incidents.
- Identify staff roles and responsibilities for during an event and its remediation.
- Include a post-event analysis.
Security Management and Planning Policy
This policy should define what the organization is doing on a high level to support the overall security of the systems in place. Many of the other policies we have reviewed discuss behaviors people within the organization should take on a day to day basis, but this policy should define the tools used to support these other policies.
First, outline (not too specifically) what the organization is doing to protect data, like patching of systems, perimeter-based security products, Antivirus software, data backups, and so on. You should also outline the purpose and why these tools are being used. You probably have many solutions in place to prevent security issues from occurring, and this is the place to put them out there for management, as well as auditors, to understand what is being done.
Furthermore, there should also be practices defined to review and analyze the effectiveness of security in place, including what kinds of testing such as vulnerability tests or penetration testing is done, or other kinds of audits and the frequency of these assessments.
Tips for your Security Management and Planning Policy:
- Describe what your company is doing to protect its data.
- Outline what security tools you are using and why.
- Define how you will review and analyze the effectiveness of your security plan (i.e. vulnerability testing, penetration testing, audits).
Most organizations will probably need additional policies that speak to a specific industry or business concern. If you are just getting started on policy development, we recommend checking out the SANS Institute which offers many templates (probably more than you need) that can help get you started.
And please contact us if you would like to chat about specific IT policies for your organization.