An organisation’s policies are at the heart of its business operations. They detail exactly how employees should handle certain issues, ensuring that everybody is on the same page and following agreed best practices.
Effective policies are all the more important now that the EU GDPR (General Data Protection Regulation) is in place. Dave Rickard, technical director at CIPHER Security, says the GDPR has emphasised the need for data protection policies. After all, the GDPR’s requirements include the need to document how you are staying secure.
Rickard lists five data protection related policies that all organisations must have.
- Encryption policies
According to Rickard, most companies lack policies around data encryption. That will need to change with the GDPR, because a key tenet of the Regulation is that organisations should secure data with “appropriate technical and organisational measures”. Current guidance states that encryption is central to this.
Although encryption won’t stop malicious actors accessing an organisation’s information, it will prevent them from being able to use it. It works by obscuring information and replacing identifiers with something else, meaning it is only accessible or comprehensible to approved users.
Organisations might also choose to pseudonymise data, either instead of or alongside encryption.
- Acceptable use policies
If you don’t want employees spending all day on non-work-related websites, you ought to put in place an acceptable use policy. This outlines any activities that are outright prohibited (you will probably include visiting certain websites or downloading applications), as well as stating limits on the amount of time employees can spend pursuing non-work activities.
Be careful when writing your acceptable use policy. Remember, it’s about keeping your employees away from malware and viruses as much as it is about preventing them from slacking off. The temptation is to set a zero-tolerance approach, but a 2017 ruling by the ECHR (European Court of Human Rights) found that some level of personal use must be tolerated, saying: “[A]n employer’s instructions could not reduce private social life in the workplace to zero”.
Your acceptable use policy should also tell employees how the organisation monitors them to ensure the policy is being followed. The ECHR states that monitoring activities should be deliberate and unobtrusive. Under no circumstances should organisations use exhaustive or automated measures, such as spyware, nor should they use any method that leaves no trace of the monitoring.
- Password policies
There is so much advice on creating strong passwords, and so many warnings about the perils of weak ones, that there is simply no excuse for employees to use combinations such as “password1” or “0123456”.
Policies should outline guidance for what a password should look like (e.g. a combination of letters, numbers and special characters) and require staff to use different passwords for each account. They should also implement systems that prompt staff to change their password at least every six months.
Rickard adds that password policies should also warn employees about writing their passwords down. “One of the easiest ways to breach a company is to put somebody on the janitorial staff and go looking at desks. People often have Post-it notes on monitors with passwords on them.”
- Email policies
IT should have a policy in place that hardens systems and detects spam and viruses. “The kind of information that can be disclosed via email should be spelled out very clearly,” said Rickard.
One of the biggest email-based threats is phishing, which can be mitigated by technology only to some extent. Scam emails often look legitimate enough to bypass spam filters, meaning the only thing standing between an organisation and a data breach is the employee’s ability to recognise the threat.
Email policies should therefore mandate that employees take regular staff awareness courses to stay up to date with the threat of email-based fraud.
- Data processing policies
Organisations should map the way data flows through their organisation to see what data is being processed, how it’s being used and who is receiving it, said Rickard, so a policy is required to ensure this happens. This has become especially important since the GDPR took effect, as it enables organisations to account for all their data and provide the necessary information to individuals who submit data subject access requests.
Employee training is key to success
Rickard stressed the need for employee training to ensure each of these policies is maintained. “Security awareness and training is the cornerstone of any security program,” he said.
IT Governance offers a variety of staff awareness solutions to help educate your staff. We recommend beginning with one of our e-learning modules, as they are a quick and convenient way of bringing your entire organisation in line with its data protection obligations.
Whether you opt for our GDPR, information security or phishing and ransomware course, you are guaranteed to receive expert advice that will benefit your whole organisation. The courses can be taken at a time and place that suits your staff, and are perfect for introducing new employees to the practicalities of cyber security and data protection.
You might also be interested in our template GDPR policies, which show you exactly what you need to do to comply with various requirements of the Regulation. All you need to do is customise the document to suit your organisation, and then you’re free to put the plan into action.