Information Security Policy, How do you Write One?

Your Information Security Policy must address the mushrooming size of the physical Internet, the ever-increasing volume of data being squeezed through it, and the wider range of information security. When you say “computer security”, what comes to mind most often are external threats: hackers, malware, viruses, botnets. But when you look at computer and IT trends, new technologies — mobile devices, social networking, and the like — pose a much greater threat to the integrity of your company. So, what are the best ways to secure your information?

That’s right — your employees are at least as great a threat to your information security policy as are the people on the outside trying to break in.

What can you do to secure your information, your network, and your computers from IT security threats? There are a number of steps you can take to protect your business, most of them inexpensive and easy to implement.

10 Best Ways to IT Security Policy

1. Manage Your Technology Life Cycle

Old computer technology is less secure than new technology. Newer technology implements the latest tools (like intrusion protection), so one of the best things you can do to create an Information Security Policy is to secure your information and protect your business is to use the latest technology.

In fact, you should develop a technology life cycle plan for all of your computer hardware and software assets. Consider replacing computers after four years; budget 25% each year for new technology to replace the old.

2. Establish a Password Security Policy

This one is really simple: make sure your computers, servers, wi-fi connections, etc., all have password protection. Adding open devices and connections to your network is just inviting trouble.

Close those connections now, using unique passwords for each user. Use strong, complex passwords, as many security professionals (and companies like Microsoft) have been recommending for some time. Your IT Security Policies should require passwords be replaced every month or every quarter. Lock out an account after “n” failed login attempts. Disable past employee accounts immediately.

3. Back Up Your Data Frequently

Everyone I talk to says they have a back-up plan and, of course, they perform backups, but are their servers backed up frequently enough? And what about individual PCs – do they have data or apps that aren’t on the servers? Are they backed up, ever? Should they be?

Are backups taken off-site? Have you tried to restore your backups to a computer that is NOT in the original location? Are you using cloud-based apps but wonder if your cloud-based data are backed up appropriately? (Bizmanualz Onpolicy Procedure Management Software eliminates the need for backups at the user level.)

And have you tested your backup process lately? Trust me — when you’re trying to recover your system from an attack or a fatal system error is not when you want to find out your backup process doesn’t work. Your IT Security Policies should specify regular backups.

4. Use Malware and Virus Protection

It happens — people inadvertently download something they shouldn’t (social engineering techniques are that effective). The next thing you know, that computer — even your whole network — is compromised. You should have a Computer Malware Procedure.

When you develop an information security policy, consider centralizing your anti-virus and anti-spyware management instead of having each user responsible for their own devices. Enable frequent virus scanning and frequent, automatic updates. To secure your information, monitor your anti-virus subscriptions — you can’t afford to let them lapse.

5. Secure Your Mobile Devices

Your company may be facing increasing liability exposure from employees housing data in PDAs, laptops, or cellphones. If your employees have access to sensitive information (think “WikiLeaks”), you need to develop a Mobile Device Management Plan that addresses digital rights management, data loss prevention, data security, and other IT internal controls. Consider anti-virus device security and data protection that includes the ability to wipe a device, in case it’s misused.

And, if you don’t want employees using their personal devices to handle company information…what’s your policy on that and how do you enforce it?

6. Communicate Your Information Security Policies

Imagine you’ve created a new password policy, invested in anti-virus software, and developed a Mobile Device Management Plan but you haven’t told anyone. How useful will those measures be in helping secure your information?

You must communicate your IT security policies and train your employees how to implement computer security methods. You can’t just tell everyone in an email that “here’s our IT Security Policy”, and leave it at that. You have to show everybody how important it is, how it’s done, and how it helps secure your information.

You have to ensure that all employees understand the new password policy, how anti-virus software keeps your computer safe, what “acceptable use” is, and the importance of protecting their mobile devices.

7. Restrict Access to Your Data

IT Security Policies found in Microsoft Windows, Linux, and other operating systems have their own kind of user access controls. Using them means you have to identify what each user login requires for data, network, or peripheral access (e.g., read only, read/write, execute). If you allow too much freedom of access, you increase the risk of misuse, data loss, etc., but if you make restrictions too tight, you’ll get far too many user complaints. There’s a very fine line between too much and too little — that line often isn’t easy to find, and it moves around a lot.

8. Implement a Contingency Plan

A computer, IT, or data center disaster recovery plan is an important element of securing your computer data. There are more than hackers and trusting (or untrustworthy) employees — there are acts of nature that threaten your business’s continuity, too.

You never know when fire, flood, tornado, riots/uprisings, robbery, or other catastrophic events will occur but if one (or more) of them does strike…how long will it take you to get your business back online? Without a disaster plan in place, it will take too long.

Your IT Security Policies should include hardware and software replacement, data recovery, and key configuration, restoration, or installation details. It should include appropriate software license numbers, insurance numbers, and key contractor or supplier numbers. It should cover testing, validation, and performance criteria. Furthermore, you need to thoroughly test your recovery plan before you need it.

9. Block Would-Be Intruders from Your Network

First, you can’t do this perfectly, but you can at least make it more difficult by installing a business-class firewall and updating it regularly. Close all the firewall ports you’re not using. Don’t use older WEP security (see #1, above) but invest in newer, stronger technology like WPA2. Always make sure you’re up on the latest threat prevention methods.

IT Security Policies should be set to restrict access to DNS zone transfers, which hackers can use to read your DNS records and obtain your server details. Add an Intrusion Protection System (IPS) that monitors network and system events for malicious activity.

10. Close Holes in Your IT Security Policy

As we often say in the quality field, “You don’t know what you don’t know.” This is true for IT security, as well. To find the holes in your computer security system, perform some type of regular IT security audit and network inspection. Check your firewall and server logs for signs of threat.

See that you’ve implemented measures to address the first nine points above. Secure your information technology by securing your computer networks. Enable automatic updates. Deploy Windows Server Update Service (WSUS) and Windows Update for all PCs and workstations. Be sure your anti-virus and other malware prevention systems are being automatically and regularly updated.

I also recommend hiring an independent computer security expert to audit your information security system and conduct system tests (penetration testing, leak testing, etc.) from time to time. You can also look for software applications, like The Secunia Personal Software Inspector (free download), that scan your installed software to identify potentially unsafe (e.g., out-of-date) programs and offer downloads to the latest software patches.

Is Your Information Technology Secure?

If you take the time to implement these 10 tips for IT security policies, you’ll be doing a great deal to ensure the security of your IT data. No IT system is perfect, of course, but if you take these ten easy steps, you’ll minimize or eliminate the majority of security threats to your IT system.

What are you doing to ensure the security, integrity, and availability of your company’s data? Is there anything you’d add to (or remove from) this list? What’s your biggest concern, information security-wise?