As we wrote in our last post, an enforceable IT security policy is an important part of your organization’s security strategy. Unfortunately, many companies don’t have this policy. As many as one in three companies lacks an information security policy.
It’s not enough to develop this and then put it away. Depending on the size and type of your business this should be visited at least annually with the stakeholders in the systems and processes that are part of the security policy. If this is not done it is difficult to enforce and be sure it meets the needs of the business over time.
“The resultant mess is no good to anyone, and can often leave the business open to unforeseen issues,” explains IT security expert Andi Scott in a post for ComputerWeekly.
To be of any value to your company, Scott says, an IT security policy should be:
- Short, readable, and accessible to the key members of your organization. Supplemental documentation can get into the nitty-gritty, for those that need to know. But everyone else just needs to understand what their responsibilities are.
- Aligned with your business’s needs and goals. Security policy should not be “one-size-fits-all.”
- Aligned with your industry’s regulations.
To Scott’s list, we would add that an IT security policy should be enforceable. Your information security policy shouldn’t be merely a statement of ideals. It should comprise actual rules that are followed and enforced throughout your organization.
Otherwise, it’s just words.
So how do you go about creating an IT security policy that will protect your company’s valuable data, align with your unique business goals, and actually be followed by your employees?
1. Get the Major Players On Board
An enforceable IT policy comes from the top. If managers and executives aren’t signed on — from every department, all the way up to the C-suite — there’s little chance of getting rank and file employees to follow along. Furthermore, your company’s leaders should play a role in determining the direction and goals of your policy — the same way they set the direction and goals for every other business initiative.
2. Aim for Clarity
Your policy needs to impress upon the least technical members of your team the importance of things like not opening attachments or clicking on links in emails without stopping and thinking first and the concerns of logging onto public WiFi with company devices. So when crafting a security policy, it should be detailed but understandable by non-technical people. It needs to be understood well beyond the IT department.
3. Focus On Your Business, Not the Trends
Closely related to the cookie cutter approach is the everything-but-the-kitchen-sink approach. Companies throw whatever is trendy in the IT security world into their document, regardless if it applies to their business or industry regulations.
This can cause your information security policy to balloon out of control, with contradictory provisions or overly-strict rules that make no sense for your users.
Nothing sends users searching for their own solutions more than IT policies they perceive as pointless. Hence, the birth and growth of shadow IT.
4. Always Be Educating
The antidote to shadow IT — the scourge of IT pros everywhere — is education. Don’t go through the effort of creating an IT security policy to just let it sit there. Spread the message.
Users must be warned against the risks of shadow IT. Instead of finding a workaround on their own, they should be encouraged to consult with IT when they feel their current application or process is inadequate.
Everyone at your company are targets for phishing and spear-phishing attacks. They must, therefore, be taught how (and why) to handle email attachments properly and assess the authenticity of a sender.
How Are You Building Your IT Security Policy?
Do you have any pointers for your fellow IT pros on how to create an enforceable IT security policy? Share them in the comments section below.