Most organisations of a reasonable size, will today have at least some policies which integrate with HR to govern Internet and computer use within the company. However, the ability of these limited documents ( and sometimes procedures ) to protect the company is often minimal. With the extent to which malicious vectors are able to compromise systems in the current Internet era, a fully fledged set of policy and procedure documents are required to
- protect the company against inadvertant or malicious data loss or compromise
- protect the company against litigation due to lack of policy or misuse of systems
So how does one decide if these policies and procedures are required? If yes to any of the following questions
- do I have data that, if compromised, could be used for competitive advantage by another company
- do I have data and/or knowledge, that if compromised, could disadvantage the company in any way
- do I employ staff that have access to computing resources and external networks ( eg. Internet )
… then you will need to prepare a set of documentation. Having this documentation alone is not enough – one needs to have management approval for implementation of any directives and of course these need to be enforced. Having directives without applying them is akin to not having them at all. As well, employees need to clearly understand the intention of the documentation and the application of the directives – training is crucial.
Areas of concern that need to be addressed in documentation are
- general computer use
- machine security
- physical access control
- password controls
- encryption of stored and transmitted data
- wireless access
- mobile and remote computing
- endorsed applications
- disposal and re-allocation of computing resources
- data protection
- incident reporting
- acceptable use
All areas of an organisation from management to HR and the general employee, need to be involved in the preparation and application of policies and procedures. Buy-in from all departments is required to make effective use of an IS security policy – the well-being of your organisation could depend on it.
For further information, refer to ITIL Security Management ( ITSM ) which is a best practice system/framework for implementing security policies within an organisation.