Believe it or not, every business has a computer security policy. Now this policy, if you will, may not be a written document, in paper or digital format.
It could be something as simple as a general understanding, between management and information technology staff. A true computer security policy should be documented and contain specifics that covers your business practices relating to information technology.
Perhaps your company has documentation with regards to natural disasters. If there was a fire in the building, there are signs directing people to safety. There are instructions on what to do, after calling the fire department or grabbing the nearest extinguisher.
Source: Hyperlearn
However, if you ask the average employee what to do in case of fire, they will probably know, at least, where the exits are, and who to contact. Ask that same person if visiting a website with screen savers is allowed on the company computers, and you might get a blank stare.
First and foremost, whatever type of computer security policy you plan to create, everyone must understand the guidelines and limitations set forth in the policy. It must composed in language that everyone can understand.
If the policy is overly technical, you may as well attempt to explain string theory to a first grade class. On the flip side of the coin, if it is too general in nature, vital points may be left out.
When it comes to the agreeable portion of a corporate security policy, understand that agreeable equates to acceptable for business activity. Agreeable does not necessarily mean acceptable to every employee.
It is entirely possible that there will be push back from employees, at all levels, with regards to any proposed changes. You may have to make your case for portions of the policy, and offer options while keeping security where is needs to be.
As an example: Letting employees have unfettered access to the Internet at any point in the day may seem nice, but may pose a larger security risk, than say granting access to a select list of websites, or access only at certain periods of the day.
Be prepared to explain the risks involved with these type of activities and the consequences to the business. With good presentation, most people will understand why computer policies have to be in place.
Many businesses have an employee Acceptable Use Policy (or AUP) for their computer systems, which covers, but may not be limited to, use of technological company assets (laptops, desktops, telephones, company purchased cell phones and plans, Email, and other technology).
Coupled with the larger computer security policy, an AUP typically encompasses the limitations on what an employee can do with the technology provided to them. Can they make personal calls on company telephones? Are the allowed to access the Internet from their desk? Is it permissible to correspond with non-employees via Email? These are a small selection of subjects that the AUP should cover.
Inclusive of an AUP, should be a section covering employee dos and don’ts, with regard to potential consequences. Some people believe that if you explain the policy in plain terms, everyone should get the idea.
This belief is unrealistic and it is important that everyone knows what specific actions on their part requires a response by the company. What good would it be to have a stringent security policy that does not get enforced?
In addition to an employee AUP, there should be a section covering acceptable practices, for system administrators, with respect to computer servers, network availability, and Internet facing appliances (proxy server and firewalls for instance).
The part of the security policy would surround the configuration, maintenance, and upkeep of systems required for business continuity. It may seem odd not to lump these items in with desktop and laptop computers, and you can certainly model your policy as such. However, the group of technology mentioned here has a heavier cost to the business if compromised.
Should a desktop computer experience failure, one small facet of productivity is hindered. A server containing databases used by everyone is another matter entirely as this scenario may cripple the business while it is unavailable.
Many systems administrators, IT management personnel, and technicians think about this next section constantly; even if they already have procedures for such events. Disaster recovery affects businesses world wide. If you have been fortunate enough to avoid disaster altogether, congratulations.
However, what is your metric for disaster? Would this be all of your servers consumed in a fire? Or would it be ten percent of your end user computers riddled with spyware or viruses? In the grand scheme of things, you cannot cover every single possible disaster, but you can plan for multiple scenarios, and be prepared.
Your core business systems must be protected, but to what extent will be up to you. Whether you are maintaining business applications in-house, or have them outsourced, there has to be an understanding as to what security methods are being used to keep productivity high, and interruptions to a minimum.
Maybe a secure VPN tunnel to retrieve Email remotely will fit your needs. If your email contains highly sensitive data, perhaps access through additional security, like RSA keys or multiple password authentication, is necessary.
On a final note, the computer policy, once it goes into effect, is not a finalized document. It never will be completed, as this policy will be living documentation, and subject to periodic updating, and modification by competent authority. A good computer security policy must be flexible to allow for changing business practices, changes in public law, or any other change, which would impact the scope of the policy.
Be The First To Comment
Please Leave Your Comments Below