Standard Security Policies

Here are some of the typical policies that any business should have in place to inform staff of the compliance requirements and prepare the organization for dealing with cyber-threats and incidents.

Policy

Description

Security Policy

AKA “Data “Policy” or “Acceptable Use Policy”

Instructs staff on how to manage personally identifiable information and protect company resources. This policy outlines how confidential or sensitive materials, digital or physical, should be stored and protected. For digital media, is encryption required when emailing or storing? Should computers be locked when staff are away from their desks? Is it allowable to post passwords on post-its on monitors?

Incident Response Plan

AKA “Breach Policy”

Guides the response to a data breach. Who should be notified? Who should be involved in the response? What timeframes should be followed for reporting to authorities and alerting constituents that have been breached? What follow-up is required? A good incident response plan will include sample communications and be in line with any regulatory requirements that the company is subject to.

Mobile Device Policy

AKA “Remote Computing Policy”

Instructs staff on how to protect company information on phones, laptops, tablets, and home computers. It establishes obligations that the employee must comply with if company data is going to be accessed or stored on personally-owned equipment. It includes requirements for securing company-owned equipment, such as what to do should a laptop be lost or stolen and how often the laptop should be brought in for inspection by IT staff; and it outlines the procedures for removing company data when an employee leaves the organization.

Password Policy

Covers the requirements for accessing company systems. For a long time, the standard security best practices were to require complex passwords (mixing alpha, numeric and special characters with mixed case requirements) with frequent password changes. Over the last five years, the thinking has changed, and authorities on information security such as the National Institute of Standards and Technology (NIST) have acknowledged that, with too many passwords to memorize and sophisticated tools available for hackers, that advice is out of date. A safer password policy, per NIST, would have these rules:

♦ A minimum of 15 characters. Spaces are allowed, so users should think of pass phrases, as opposed to passwords.

♦ No complexity required, but common phrases, names, dates with special meaning, and other things that might be researched or guessed by a hacker should not be part of a password.

♦ No regular password changes, but use a tool or service to monitor for breaches and change passwords promptly when they have been breached. Enterprise software like ID Agent can be purchased, or free tools like HaveIBeenPwned can be utilized. Some password managers include breach alerts, such as LastPass.

As stressed above, the password policy should actually be a broader authentication policy, and also discuss the requirement for MFA.

Telecommuting Policy

AKA “Work From Home Policy”

Sets the requirements and expectations for remote work, including expectations around communication; workplace safety (Companies are still liable if employees are injured in a home office); and availability.

Business Continuity Plan

AKA “Disaster Recovery Plan”

Guides the organization in the case of business disruption. This is more than just an IT plan, although technology is a big piece of it if the company still maintains business-critical in-house servers. A complete business continuity plan includes sections on communication in a disaster and responses to non-disaster but still company-threatening events, such as a major loss of income.