You need a security policy for the same reason you need a policy about annual leave, it provides a transparent process by which staff know what is required of them and allows management to monitor and audit security practices against the policy.
Unless it's written down and effectively communicated to your staff they won't know what is required of them.
A security policy is a document that covers the rules and practices that you want your staff to follow when working with e-mail, browsing the Web, and accessing confidential data stored in your system. A security policy can help your organisation reduce security breaches and data loss by helping employees follow through with safe and secure computing practices.
In some cases you may find your customers and/or suppliers demand that you have a security policy in place that they can review - especially if you may be formally linking into their IT systems.
- When creating your security policy, identify and work on securing the IT assets that impact your business the most.
- Implement a process of reporting breaches. If staff are able to report breaches confidentially they may be more willing to report at all.
- Set clear policies on what websites employees can and can not access. Staff need to know what is expected of them when using email and the internet at work.
- Keep your security policy up to date. Review the security policy yearly to ensure it is still relevant.
- Stay up to date on cyber security issues. Subscribe to the Stay Smart Online Alert service to keep up to date on the latest security and network vulnerabilities.
On this page
- Develop clear policies
- Implement a process of reporting breaches
- Develop a code of conduct
- Develop action plans
- Keep your security policy up to date
Fact sheets and resources
Develop clear policies
There are a number of issues a security policy should address including why there is a need for one to start with. The key reasons to have a security policy is that many people using computers are not aware of the security risks and when the organisation has multiple computers and multiple staff members it becomes harder to make sure all the computers are secure and all staff know what to do if there is no security policy.
A security policy may cover:
- Acceptable use - how staff use email and the internet. Should certain websites be blocked to staff? Should there be a restriction on the size of email attachments?
- Handling sensitive data - who and how should sensitive data be handled and stored.
- Securing and handling equipment - is there a system in place to track who is using equipment in the organisation?
- Using internet safely - what system is in place to ensure anti-virus, anti-spyware, operating systems, Web browsers and other software are kept up to date?
- Remote access - what is the system to ensure security is maintained while accessing the work from the road or at home?
Implement a process of reporting breaches
Provide a confidential way for staff to report security breaches. It is often difficult for employees to speak out. If you provide a mechanism through which they can safely raise concerns they are more likely to bring problems to your attention earlier rather than when it is too late.
Develop a code of conduct
Develop a code of conduct with your employees about appropriate behaviour in the workplace.
You may want to include what is appropriate to discuss in a public forum outside of work. There have been a number of instances publicised in the media where employees have discussed their views on work and colleagues on social networking websites.
Develop action plans
Establish a set of action plans that staff can follow if something does go wrong covering such things as:
- what to do if business equipment is lost or stolen
- what to do if you think a computer is infected with a virus
- what to do if there has been a loss of data
Keep your security policy up to date
Once the security policy is implemented, it needs to become an integral part of day-to-day business activities and general business culture.
You and your staff need to keep abreast of information on current security issues so that the security policy you develop stays up-to-date.
Maintaining the security policy is a day-to-day business activity for everyone, for example, checking email for viruses and logging off the computer from the Internet at the end of the day.
Monitor and test the security policy you have in place to identify potential and actual security problems before they become issues that may cost your business time and money.
Subscribe to the Stay Smart Online Alert service to keep up to date on the latest computer and internet vulnerabilities and threats.