Security Policies – What Do You Really Need?
Many organizations struggle to find the right level of formality when it comes to documented security policies. Smaller manufacturers in particular may struggle with having too few policies or not having the right policies to cover the breadth of topics needed to properly secure their technology assets and guide employees on what is and isn’t acceptable. Too few or lacking policies can lead to gaps in security, so it’s important to ensure that each organization maintains a policy library that covers the following five topics at a minimum:
- Acceptable Use – At a minimum, companies should have an Acceptable Use policy that defines what employees may and may not do on company-owned computers, mobile devices, and networks. Sub-topics should include how the internet, e-mail, and telecommunications/video conferencing may (and may not) be used at work, authorized access to systems, use of software licensing, physical security of equipment, and data privacy and confidentiality. This policy should be part of any employee handbook and distributed to all employees that use a computer to fulfill their job responsibilities.
- Passwords & Authentication – This policy should provide guidelines on passwords requirements and establishing proper account security. Examples may include minimum length, complexity requirements, how frequently passwords should be changed, requiring multi-factor authentication on significant systems, etc. This policy is also a good place to specify to employees how to securely share passwords when required and when sharing of passwords may or may not be acceptable. It is also a good place to suggest the use of a password vault or manager.
- Security Tools & Monitoring – This policy should define what security monitoring, remote management, and anti-malware tools are required to be installed on every company-owned device or computer used for work purposes. This is particularly important for remote employees and employees who use mobile devices.
- Allowed Devices – This policy should define what computers/devices are allowed on company networks, whether personal devices are allowed to be plugged into the company network or joined to the wireless network, or what devices may or may not be used to access certain systems and applications.
- Bring Your Own Device (BYOD) – This important policy defines what personal devices may be used for work purposes. There are several aspects of BYOD that should be covered, including whether personal devices are or aren’t allowed for work purposes and what systems specifically they may or may not be used to access. It should also define what security requirements a personal device must comply with to be used for work purposes such as having a passcode, requiring company management software or an anti-malware tool, etc. Lastly, it should define specify whether only personal mobile devices may be used for work purposes, or whether computers/tablets are allowed as well.
These policies can be individually documented or all be part of one comprehensive document. The important thing is to define these with a sufficient level of detail such that employees have proper guidance on how to effectively operate day-to-day and that your business is protected from common cyber risks and threats.