5 IT security policy best practices

Computer security policies are to companies what rules are to children. At first they force you to back down and complain, but as you get older you begin to appreciate their importance.

When done correctly, security policies codify the basic contracts and procedures necessary to ensure that a business operates safely and efficiently. Well-executed security policies contribute to a company’s success by providing a concise statement of management intent. This is a quick start guide for an organization’s security program. IT security policies help ensure that employees know what is expected of them and that leaders have clear guidelines and requirements.

Security policies also serve as the basis for shared standardized information gathering (SIG) assessment questionnaires and other vendor assessment questionnaires, which are becoming increasingly important to doing business today.

To ensure that IT security policies do what they were created to do, they should be up to date and reviewed and updated regularly. Need to create completely new security policies? Or update your old, outdated security policies into dynamic, relevant policies that help guide your business to success? Here are five best practices to get you started.

1. Know what you need policies for

Policy requirements vary depending on a company’s size and industry. A global financial institution, for example, will have much more complex policies than a small accounting firm or even a cloud-native fintech. If your organization is in a regulated industry, include all of your assessor’s requirements in your IT security policies. If your organization is not regulated, NIST SP 800-53 Rev. 5 contains an extensive checklist, which includes recommended policy tips. Remember that if you don’t use a given control, you don’t necessarily need a policy for it. Additionally, NIST does not list an Acceptable Use Policy (AUP) for employees or contractors who access your systems, but it is an essential policy for all businesses.

2. Be smart about policy reuse

Shared assessments and certifications are more important today than ever, given the increased focus on supply chain security. Most customers and partners will ask you to complete an attestation or GIS form. Your policies are the basis for many of the answers to these GIS questions. Streamline the response process by modularizing your policies by creating sections that can be cut and pasted into GIS questionnaires.

3. Make them readable

Unless your employees are all lawyers, they’re probably not fluent in legal language. Take the time to write policies that are readable to your target audience, especially policies that require staff action. For example, the AUP should be read by everyone in the company expecting them to understand and follow it. A backup policy, on the other hand, can be more technical as it will be used by the IT team to inform their backup process.

4. Less is more

Many companies adopt extremely lengthy and comprehensive policies. The problem is twofold. First, if it’s too long, no one will read it. The second problem is even more serious: if your policy says your company will do something, it must do it. Spend time thinking about what your business can reasonably achieve. If he does everything in his policy, the company will be ahead.

5. Keep them fresh

Remember: security policies are living documents. Your business will grow, technology will evolve, and IT security policies will also need to change. Designate a person or team to oversee the policies and ask them to establish a regular cadence of review and revision. Although one or two people may lead the review process, it is important that they involve the key stakeholders affected by the controls to which the policies apply. This creates a culture of collaboration where policies are created by the company rather than “done to” people without input.

Comments are closed.