Must-Have IT Policies for Every Organization
Ransomware attacks have increased more than 11 percent in the past 12 months, according to Kaspersky Labs data. The first half of 2017 has already seen two global ransomware attacks, as WannaCry and Petya disrupted operations for businesses, healthcare organizations, government agencies and educational institutions around the world. Even worse, the Petya attacks offered further proof that you can’t trust hackers to restore access to your data after you pay the ransom demand.
Awareness of ransomware and other threats has increased, and organizations are implementing new security tools to beef up their defenses. However, security tools have limited value if there’s no overarching IT strategy to guide their use. Your IT policies create that strategy, but for many small to midsize businesses, IT policies are either out of date or non-existent. This only increases the risk of security breaches and regulatory compliance issues.
There are certain IT policies every business should have. The first is an acceptable use policy, which defines company IT resources and the proper way to access and use them. A security awareness policy educates all users about threats, security training initiatives, and the impact of user activity on security and regulatory compliance.
An information security policy defines the people, processes and technology involved in IT security and lays the foundation for a data risk management program. An incident response plan will define the criteria for a security incident, roles and responsibilities for those involved in responding to an incident, and processes for detecting, reporting, mitigating and analyzing threats.
Incident response planning ties into disaster recovery and business continuity, which help you manage risk in real time in case of a data breach, weather event or some other disaster. It establishes a formal plan for communicating with employees and vendors and restoring critical data and applications with minimal business disruption. A policy governing data backup, retention and destruction will establish guidelines for how frequently information systems are backed up, how long various types of data must be retained, where these information systems and data are stored, and approved methods for disposing of old technology and data.
There should be a change management policy to ensure that changes to IT systems, hardware and software are being properly managed, approved by leadership, and tracked. Because users often work remotely, and outsourced vendors and contractors access the network remotely, there needs to be a policy for remote access. In other words, how must remote users securely access the network, and what type of activity is required and prohibited to minimize risk?
The growth of remote workforces is being driven in large part by the use of employee-owned devices for work purposes, which is why a bring-your-own-device (BYOD) policy must be documented. A BYOD policy clarifies what devices, operating systems and applications are permitted. It also establishes rules for passwords, installing applications, reporting lost or stolen devices, and accessing, sharing and storing data.
ABOUT THE AUTHOR
Lisa Detwiler, President joined SSD Technology Partners in 2006 as Chief Marketing Officer, and in 2014 she and her two partners Woodie Bowe and Nick Ewen purchased the company. Detwiler holds an MBA in Marketing and Strategy from Carnegie Mellon University. Lisa successfully led SSD through a difficult economy in 2012, recording the company’s greatest growth record in 31 years.
Lisa believes that our foundation for success does not come from fancy business buzzwords or the latest management fads. Success comes from behaviors and commitments to basic guidelines of how we operate as individuals and as a company; do what’s best for the client, practice blameless problem solving, seek to create win/win solutions, check the ego at the door, and communicate to be understood.
Lisa serves the community as a Board Chair of both the American Red Cross and the Delaware Better Business Bureau and has been a member of Wilmington Rotary Club for 10 years.