The most difficult part of creating a Security Policy for your
business is determining what, exactly, to include in it. Never
heard of a Security Policy before? You're not alone. But whether
you are the only employee in your company or you have a small
staff working for you, you need to learn what a Security Policy
is, and then you need to create one.
In much the same way that a personnel policy informs employees of
things like vacation time accrual, performance review schedule
and other personnel-related issues, a Security Policy informs
your employees of the steps that are necessary to keep your
company's network and computers secure. The policy is your
company's rules and regulations that are enforceable, under law
if necessary, if breached.
A Security Policy will include rules and formal procedures that
are clearly written and laid out. But most importantly, the
information contained must be easy for employees of all levels to
understand.
And just as it is with young children, the content of your
Security Policy must be enforceable, and it must be enforced
consistently. Saying in writing that something is not allowed,
then allowing it to happen during regular work hours sends mixed
messages to your employees. They won't know what really is right
or wrong, which will defeat the whole point of your Security
Policy. Inconsistent implementation also leaves you open to legal
liability.
Like any good policy, your Security Policy should be regularly
updated to reflect today's rapidly-changing business environment.
Most of the time, you will be the person making these changes.
However, if your company is growing and adding staff, this may
not always be the case. Make sure the person responsible for
updating your company's Security Policy has guidelines and
boundaries, and most of all, make sure you read and approve any
changes made by someone else.
Make presenting your Security Policy part of your new employee
orientation procedure. Make sure every employee reads the policy,
signs and dates a document certifying that it has been read, and
then keep the signed and dated certification in their respective
personnel folder. And every time that your Security Policy is
updated, make every employee read it again, and sign and date a
document stating that they have read the changes.
The types of topics you may want to cover in your company's
Security Policy include but are not limited to:
* What can be loaded onto an employee's computer from floppy disk
or CD
* What personal business, if any, can be conducted on the company
computer
* Which files or company information is allowed to leave the
internal network or is allowed to be sent out over the Internet
* Who is allowed to install new software and software upgrades
onto the system, and equally important, who is not allowed to do
this
* A password management and password change policy which includes
the acceptable length of passwords. Provide examples of
permissible/non-permissible passwords. Examples of
non-permissible passwords might include date of birth, names of
pets, nicknames, children's names, etc.
* Who's allowed remote access to your network from off-site
* Policies for locking keyboard or using password protected
screensavers when an employee's PC is left unattended
* Who is allowed to attach their laptop or other portable
computing device to the network and what information they are
allowed to upload/download
* Guidelines for vendors and other visitors who may need access
to your network while they are on-site.
Whether you have one PC or several networked together, you have a
lot of money invested. Protect this critical business asset with
an iron-clad Security Policy.
About the Author
Cavyl Stewart is the author of "135 Hot Tech Tips for Small
Business Owners." To Download your free copy, just visit:
http://www.find-small-business-software.com/135_tips.php
