Saturday, June 30, 2012

The most important IT security policies & proceedures

           This week my focus has been on IT security policies and procedures and I figured that it wouldn't hurt to have a list of some of the more important ones. 

            A security policy is documentation that spells out and enforces a specific set of rules and regulations.  A policy is the foundation for ensuring a security program can be developed.  A policy can be put in place to hold people accountable for their actions.  It is a living document that allows an organization to define very clear objectives, goals, formal procedures, and rules that aid in defining the overall security posture and design of an organization.

            Before getting into specifics, there are a few characteristics that all policies should have:

·         The policy must be understandable

·         The policy must be realistic

·         The policy must be consistent

·         The policy must be enforceable

·         The policy must be documented, distributed, and communicated correctly

·         The policy must be flexible

·         The policy must be reviewed

            A policy should spell out the following:

·         Roles and responsibilities of those affected by the policy

·         Which actions, processes, and activities are and are not allowed

·         What the consequences are for non-compliance

            The following list is what I feel are the most important policies and procedures:

·         Password security policy - defines rules for passwords: complexity, length, expiration, etc.

·         Physical access policy - guidelines for physical access and control

·         Encryption policy - guidelines for encrypting data

·         Remote access policy - defines what actions are an are not allowed when remotely entering the system.

·         Internal Information access policy - covers who has access to what, a 'need-to-know'

·         Social Media policy - covers what employees shouldn't post on social media sites

·         Data classification policy - guidelines for data classification

·         Acceptable use policy - covers Internet, local network, software installation, e-mail use, etc. for all users

·         Privacy policy - guidelines on private data usage and control

·         Disposal and destruction policy - guidelines on when/how data is disposed of or destroyed, and by who

·         Storage and retention policy - guidelines for storage and retention of data

·         Incident response policy - guidelines for incident response to include roles and responsibilities

·         HR policy - guidelines for HR

·         Change management policy - guidelines for change management

·         Firewall policy - guidelines for firewall

·         Personal electronic device policy - guidelines for mobile electronic devices, USB, and DVDs, what is and is not allowed in the facility








References:

Davidson, E. Media, D. (n.d.).  IT security and the importance of policies and procedures.  Retrieved 30 June, 2012, from: http://smallbusiness.chron.com/security-importance-policies-procedures-1100.html

Global Knowledge (2010).  10 Essential security policies.  Retrieved 30 June, 2012, from: http://www.infosecisland.com/blogview/5033-10-Essential-Security-Polices.html

Shimonski, R. (2003).  Defining a security policy.  Retrieved 30 June, 2012, from: http://www.windowsecurity.com/articles/Defining_a_Security_Policy.html

No comments:

Post a Comment