Creating and Enforcing IT Security Policies

Though writing and enforcing policies and procedures is probably nobody’s favorite area of IT operations, it’s still a vital part of your business. And while creating and following set policies is mandatory for government contractors and HIPAA covered entities, EXP takes it a step further. We recommend all companies and organizations maintain and enforce a basic package of policies and procedures that includes the following points:

• IT acceptable use — to outline what people can and can’t do with company tools.
• Mobile device and remote access — to show how company data can be accessed safely offsite.
• Data classification and storage — to cover the types of data your organization has and where it can be stored safely.
• Sanctions — covering the actions your organization will take if an employee does not comply with stated policies.
• User on-boarding and termination procedure — including steps and access level approval for new users and what needs to happen when an employee leaves.
• Incident Response Plan and Procedure — detailing how to respond in the case of a serious IT incident.
• Backup and Disaster Recovery Procedure — outlining how organizational data is protected and how the organization will continue or resume operations in the case of a serious disruption or natural disaster.

At EXP, we’ve drafted, worked with, and enforced countless IT security policies. Based on our experience, below are five tips for creating policies to help keep your company or organization secure.

1. Know your audience.

The first step to getting people to follow security policies is making the instructions easy to understand. To do this, avoid using technical language your employees may not recognize. Even tech-savvy readers and IT staff may tune out if too much jargon is used. Instead, write clearly, be specific, and use practical examples whenever possible. That way, those being asked to comply with the policies will actually understand and follow them.

2. Be clear and concise.

Our attention spans are getting shorter, so keep your policy statements direct and to the point, and make sure your tone matches your corporate style. If you are a smaller organization, you can combine several policies into one easy to read document with a clear title such as “IT Acceptable Use and Security Policy.” An easy to read document can also help you better manage your compliance program.

3. Keep good sign-off records.

For third party purposes such as vendor audits and litigation support, evidence of sign-off is critical. While maintaining signed paper copies of policies in HR files meets this basic need, you can also use Microsoft SharePoint to maintain electronic or scanned copies of signed documents in a SharePoint Library. EXP can help you set this up.

4. Reference a central Sanctions Policy.

Unless users are advised on the consequences of willful or repeated non-compliance, it can be hard to legally support actions such as termination for cause. To solve this, if you have multiple policies, create a separate sanctions policy and reference it in each.

5. Improve your on-boarding process.

Our advice is to slow down the new-hire process just enough to include comprehensive Security Awareness Training at the beginning of on-boarding. This gives new users time to absorb and sign off on relevant policies prior to using the IT system. Again, SharePoint includes a great checklist system for this type of training, and EXP can set you up with the electronic forms to automate this. You can also attend our free IT Security Awareness Training webinar for more detailed tips including valuable training information.

Maintaining compliance with your company’s IT policy is an important part of the contract between employee and employer. As with any good contract, this should be memorialized in writing and easily referenced by both parties. If you need help or advice with IT security and compliance, please contact me directly to discuss.