It’s not unusual for companies to treat IT security and compliance as an afterthought. IT departments are often too busy rolling out new technologies and fixing current technology to deal with IT policy matters. Many companies have never bothered to assign someone in a permanent security role who can help usher in needed changes that build upon and enhance the company’s overall security outlook.
Fortunately, many of these issues can be rectified through proper governance and the development of IT policies that effectively address business priorities as well as a multitude of risks. The following describes five essential tasks that companies should perform when building a framework of effective IT policies.
Create an Acceptable Use Policy
Consider the AUP as the foundation that anchors all other policies into place. Most AUPs not only define corporate resources (such as file servers, application servers, host computers, and the computer network), but they also cover many areas of computer usage, including use and monitoring of computer resources, network access, use of encryption software, and personal equipment. AUPs also govern potentially problematic issues, such as illegal copying, inappropriate or unlawful material, and communication of trade secrets.
It’s usually a good idea for companies to check with their legal department when creating AUPs and other policies with a company-wide impact. In some cases, the legal department may already have a standard AUP that can be used and modified as needed.
Raise Security Awareness
It’s also important to make all users aware of the impact that their individual actions could have on the company’s security and privacy. Companies can raise security awareness through hands-on security awareness training and periodic newsletters detailing the latest cybersecurity threats and how they can be mitigated. Other measures include cutting off unnecessary network and computer access and implementing relevant security policies that address current critical issues.
Focus on Information Security
Companies should focus on creating a single point of contact responsible for managing information security, define that person’s roles and responsibilities (along with other personnel under that umbrella), and define the environment and scope of the role. It’s also crucial to define the process and technology to be governed under this structure, including information access, system access control, and password policies.
Create Disaster Recovery and Business Continuity Plans
It’s important for companies to have an effective disaster recovery/business continuity plan (DR/BCP) in place covering a broad range of risks, from natural disasters such as fire, floods, and hurricanes to malicious incidents including denial-of-service attacks. Not only must a DR/BCP keep the business operating regardless of incident, but it must also provide effective recovery from such events.
Practice Change Management
Change management is essential for understanding fast-paced changes that occur throughout the IT department and how these changes could potentially impact other aspects of the company. Change management provides a more methodical approach to understanding and planning changes and allows for planning to reverse changes that have unforeseen consequences. Aspects of this policy include proper notification, review, and documentation of all changes, as well as identification, maintenance, and review of the network topology and infrastructure access points.
To learn more about how these policies can help build a solid foundation for systems security management for your company, contact us at eXemplify today for a consultation.