Information security policies are essential for tackling organisations’ biggest weakness: their employees.
Everything an organisation does to stay secure, from implementing state-of-the-art technological defences to sophisticated physical barriers, relies on people using them properly. It only takes one employee opening a phishing email or letting a crook into the premises for a breach to occur.
The purpose of information security policies is to prevent that, providing instructions for staff to follow in various scenarios.
An organisation’s list of policies can be extensive, covering anything that’s relevant to their processes, but here are five that should always be in place.
The days of 9-to-5 office work are over. Employees are often encouraged to use their phones to check their work emails outside of business hours, others work while travelling, and the past few years has seen a sharp increase in the number of people working from home.
This is great for productivity and flexibility, but it also creates security concerns. Remote workers don’t have the privilege of the organisation’s physical and network security provisions, so they need to be instructed on what they can do to prevent breaches. Policies should cover the use of public Wi-Fi, accessing sensitive information in public places and storing devices securely, among other things.
Pretty much everyone uses passwords at home and at work to access secure information, so you’d think we’d all have the hang of it by now.
Unfortunately, that’s not the case. Hacked passwords are among the most common causes of data breaches, and it’s hardly a surprise when people set weak passwords and crooks only need to buy a password-cracking machine that churns out ‘123456’ and ‘Password’ a few hundred times before they get their hands on some valuable company information.
Organisations should mitigate this threat by creating a password policy that outlines specific instructions for creating passwords. The received wisdom about passwords is that they should be a combination of at least eight letters, numbers and special characters. However, this doesn’t always guarantee a strong password, as employees are still susceptible to easily guessable phrases such as ‘Password#1’.
You might be better off encouraging employees to use a mnemonic, such as taking the first letter, as well as numbers and punctuation, from a memorable sentence. So, for example, ‘The old man caught the 15:50 train’ becomes ‘Tomct15:50t’.
Strong passwords only work if their integrity remains intact. If you leave them written down, share them or select ‘remember this password’ on a public computer, you risk them falling into the wrong hands.
The same is true if you use the same password on multiple accounts. Let’s say a criminal hacker breaks into a database and finds the password for your personal email account. If the crook can work out where you work (which they have a good chance of through a Google, Facebook or LinkedIn search), they’ll probably try that password on your work email and other work-related accounts.
It’s therefore essential that you include a policy that instructs employees not to share passwords, write them down or use them on multiple accounts. You might also suggest that employees use a password manager such as LastPass and 1Password to help them generate and keep track of unique passwords.
Crooks can easily infect an organisation’s systems by planting malware on a removable device and then plugging it into a company computer. Many organisations counteract this threat by banning removable devices, relying instead on email or the Cloud to transfer information.
This might not be viable for you, but there should always be safeguards in place. For example, you might set limits on who can use removable devices or instruct that they are always scanned before use.
Managers and employees often question how much time in the office can be spent doing non-work-related activities, but the more important question is what they do during those breaks.
If an employee wants to spend a few minutes checking their personal email or how many likes their latest Instagram post got, there’s not much to complain about. Indeed, giving employees the chance quickly the deal with personal issues or gain the validation of strangers should lead to a happier, more productive workforce. However, the same can’t be said if an employee wants to spend their time downloading files from a dodgy website or visiting other sites that are notorious for malware infection.
You can prevent much of the risk by blocking certain websites, but this isn’t a fool-proof system, so you should also include a policy prohibiting employees from visiting any site that you deem unsafe. The policy should clearly state the types of site that are off-limits and the punishment that anyone found violating the policy will receive.
Need help creating your policies?
Documenting your policies takes a lot of time and effort, and you might still overlook key policies or fail to address important issues. However, you can avoid those problems with our bestselling ISO 27001 Information Security Policy Template.
This customisable tool enables you to create an information security template that aligns with the best practices outlined in ISO 27001.
For a complete set of information security templates, use our ISO 27001 documentation toolkit.