When it comes to security and risk management, can your internal IT policies stand up to the numerous threats in today’s business environment? Ample technology solutions are available to handle the threat landscape, but many fall short of dealing with user behavior. Solid policies that are accessible to team members can help avoid costly IT challenges before they impact your business. Let us explore six IT policies that offer security and peace of mind in an implementable and cost-effective way.

1.  Acceptable Use Policy

A general acceptable use policy is a great place to start. It should apply to equipment and assets including data, printers, copiers, etc. Create a broad policy that instructs users on what they can do with the tools provided by the company. A smart acceptable use policy contains the following components: rules surrounding what is allowed and prohibited with company property, the designation of which situations apply, and the ramifications of breaking the policy.

2.  Remote Access Policy

As more staff work from home, it is imperative for companies to have a remote access policy in place. This policy allows employees to work virtually in a way that is tracked and managed, and it should include instruction on what devices can connect remotely. Additionally, it should define the environment in which information may be accessed including public spaces like coffee shops or libraries. Consider including the following in your remote access policy: what systems should be used to allow for remote access, which devices are allowed to complete tasks, and protocols for working virtually in a secure way.

3.  Disaster and Incident Response Policies

Prepared organizations have systems in place to address technology challenges such as ransomware and system outages. Your employees should know their role in supporting the company when a disaster or other incident occurs. The policy should designate response teams within and outside the company that respond to events including service providers, IT staff, managers, and even legal and financial consultants. Take your policy through to the end of an incident by including post-event analysis to learn valuable lessons that can solidify your policies going forward. Some components of a complete incident and disaster response policy include: identifying response teams, creating an emergency call list, assigning staff members roles and responsibilities, and designing a post-event analysis.

4.  Email Policy

Another topic being thrust to the forefront in light of increased remote working is your company’s email policy. Largely governed by common sense concepts, an effective email policy needs to differentiate between internal company communication and external communication to vendors and customers. Be sure to include policies for using personal email accounts with company-managed devices and privacy expectations. Thorough email policies include: a statement regarding ownership and privacy as it relates to email data, guidance for misuse, backup policies, communication etiquette, and security procedures for keeping email data safe. Staff should also be informed of the consequences of breaking the email policy and be asked to acknowledge the policy.

5.  Sensitive Information Policy

All businesses have proprietary information including Personally Identifiable Information (PII), Controlled Unclassified Information (CUI), marketing data, client proposals, and trade secrets. A sensitive data policy defines what the organization wants to protect and why. It instructs team members on how to relay information to trusted third parties and how to back up sensitive information. When creating this policy, include: what data is to be protected and why, where to save such information and the associated backup procedures.

6. Overall Security Management and Planning Policy

Finally, your organization should outline what it is doing on a high level to keep all of its assets secure. This policy should address the tools used to support all of your other performance and security policies. Include procedures the company is using such as patching systems, backing up data, and using antivirus software, for example. Also, specify methods like penetration testing or other vulnerability tests and audits for keeping information safe. A smart security management and planning policy will include: a description of what the organization is doing and which security tools are being used, and methods for measuring the effectiveness of the security plan as well as the frequency of such measurements.

Most organizations know that they need policies to keep critical information secure, but sometimes there are gaps between this knowledge and its implementation. If you are seeking professional guidance for creating and managing your performance and security IT policies, please reach out to us – we’re here to help!