Successful Business Security Policy
Addressing external threats is technology-oriented. While there are plenty of Internet technologies available to reduce external network threats: firewalls, antivirus software, , anti-spyware, intrusion-detection systems, e-mail filters and others... these resources are mostly implemented by IT staff and are undetected by the user.
Network security inside a company is, however, a management issue. Implementing an acceptable use policy, which by definition regulates employee behavior, requires tact and diplomacy.
At the very least, having such a policy can protect you and your company from liability if you can show that any inappropriate activities were undertaken in violation of that policy. More likely, however, a logical and well-defined policy will reduce bandwidth consumption, maximize staff productivity and reduce the prospect of any legal issues in the future.
Here are 10 points that provide a sensible approach to developing and implementing a policy that will be fair, clear and enforceable.
Identify your security risks
What are your risks from inappropriate use? Do you have information that should be restricted? Do you send or receive a lot of large attachments and files? Are potentially offensive attachments making the rounds? It might be a nonissue. Or it could be costing you thousands of dollars per month in lost employee productivity or computer downtime.A good way to identify your risks can be through the use of monitoring or reporting tools. Many vendors of firewalls and Internet security products allow evaluation periods for their products. If those products provide reporting information, it can be helpful to use these evaluation periods to assess your risks. However, it's important to ensure that your employees are aware that you will be recording their activity for the purposes of risk assessment, if this is something you choose to try. Many employees may view this as an invasion of their privacy if it's attempted without their knowledge.
Learn from others
There are many types of security policies, so it's important to see what other organizations like yours are doing. You can spend a couple of hours browsing online, or you can buy a book such as Information Security Policies Made Easy, etc., which should have polic examples ready to customize. Also, talk to the sales reps from various security software vendors. They are always happy to give out information.Make sure the security policy conforms to legal requirements
Depending on your data holdings, jurisdiction and location, you may be required to conform to certain minimum standards to ensure the privacy and integrity of your data, especially if your company holds personal information. Having a viable security policy documented and in place is one way of mitigating any liabilities you might incur in the event of a security breach.Level of security = level of risk
Don't be overzealous. Too much security can be just as bad as too little. You might find that by just keeping the bad guys out, you don't have problems with appropriate use because you have a mature, dedicated staff. In such cases, a written code of conduct is the most important thing. Excessive security can be a hindrance to smooth business operations, so make sure you don't overprotect yourself.Include staff in security policy development
No one wants a policy dictated from above. Involve staff in as much of the security process as possible. Keep staff informed as the rules are developed and tools are implemented. If people understand the need for a responsible security policy, they will be much more inclined to comply.Train your employees
Staff training is commonly overlooked or underappreciated as part of the AUP implementation process. But, in practice, it's probably one of the most useful phases. It not only helps you to inform employees and help them understand the policies, but it also allows you to discuss the practical, real-world implications of the policy. End users will often ask questions or offer examples in a training forum, and this can be very rewarding. These questions can help you define the policy in more detail and adjust it to be more useful.Count on getting things in writing
Make sure every member of your staff has read, signed and understood the policy. All new hires should sign the policy when they are brought on board and should be required to reread and reconfirm their understanding of the policy at least annually. For large organizations, use automated tools to help electronically deliver and track signatures of the documents. Some tools even provide quizzing mechanisms to test user's knowledge of the policy.Set clear penalties and enforce them
Network security is definitely no joke. Your security policy isn't a set of voluntary guidelines but a condition of employment. Have a clear set of procedures in place that spell out the penalties for breaches in the security policy. Then enforce them. A security policy with haphazard compliance is almost as bad as no policy at all.Update your staff
A security policy is a dynamic document because the network itself is always evolving. People come and go. Databases are created and destroyed. New security threats pop up. Keeping the security policy updated is hard enough, but keeping staffers aware of any changes that might affect their day-to-day operations is even more difficult. Open communication is the key to success.Install the tools you need
Having a policy is one thing, enforcing it is another. Internet and e-mail content security products with customizable rule sets can ensure that your policy, no matter how complex, is adhered to. The investment in tools to enforce your security policy is probably one of the most cost-effective purchases you will ever make.You will find much more on this topic at WorldsLargestNetwork.com
| |||||||
 | |||||||
| |||||||
| |||||||
| |||||||
|
WorldsLargestNetwork.com
