Information security policies are essential for tackling organisations’ biggest weakness: their employees.
Everything an organisation does to stay secure, from implementing technological defences to physical barriers, is reliant on people using them properly. It only takes one employee opening a phishing email or letting a crook into the premises for you to suffer a data breach.
Information security policies are designed to mitigate that risk by helping staff understand their data protection obligations in various scenarios.
Organisations can have as many policies as they like, covering anything that’s relevant to their business processes. But to help you get started, here are five policies that every organisation must have.
1. Remote access
The days of 9-to-5 office work were over even before COVID-19 – and many organisations will continue to allow employees to work remotely when life as normal resumes.
That will not only mean that employees use work computers but may also use their phones to check their work emails outside of business hours or while travelling.
This is great for productivity and flexibility, but it also creates security concerns. Remote workers don’t have the privilege of the organisation’s physical and network security provisions, so they need to be instructed on what they can do to prevent breaches.
Policies should cover the use of public Wi-Fi, accessing sensitive information in public places and storing devices securely at a minimum.
2. Password creation
Pretty much everyone uses passwords at home and at work to access secure information, so you’d think we’d all have the hang of it by now.
Unfortunately, that’s not the case. Hacked passwords are among the most common causes of data breaches, and it’s hardly a surprise when people set weak passwords such as ‘123456’ and ‘Password’.
Organisations should mitigate this threat by creating a password policy that outlines specific instructions for creating passwords.
The received wisdom about passwords is that they should be a combination of at least eight letters, numbers and special characters. However, this doesn’t always guarantee a strong password, as employees are still susceptible to easily guessable phrases such as ‘Password#1’.
You might be better off encouraging employees to use a mnemonic, such as taking the first letter, as well as numbers and punctuation, from a memorable sentence. So, for example, ‘The old man caught the 15:50 train’ becomes ‘Tomct15:50t’.
3. Password management
Strong passwords only work if their integrity remains intact. If you leave them written down, share them or select ‘remember this password’ on a public computer, you risk them falling into the wrong hands.
The same is true if you use the same password on multiple accounts. Let’s say a criminal hacker breaks into a database and finds the credentials for your personal email account.
If they can work out where you work (which they have a good chance of through a Google, Facebook or LinkedIn search), they’ll probably try that password on your work email and other work-related accounts.
It’s therefore essential that organisations include a policy that instructs employees not to share passwords, write them down or use them on multiple accounts.
4. Portable media
Cyber criminals can easily infect an organisation’s systems by planting malware on a removable device and then plugging it into a company computer.
Many organisations counteract this threat by banning removable devices and relying on email or the Cloud to transfer information.
This might not be viable for you, but there should always be safeguards in place. For example, you might set limits on who can use removable devices or create a rule instructing employees to scan devices before use.
5. Acceptable use
Organisations should never expect employees to spend 100% of their time at work doing work-related activities, because everyone needs a break now and then.
But just because you give employees this leeway, it doesn’t mean you can’t keep a careful eye on what they do during those breaks.
If an employee wants to spend a few minutes checking their personal email or how many likes their latest Instagram post got, there’s not much to complain about.
Indeed, giving employees the chance quickly the deal with personal issues or gain the validation of strangers on social media should lead to a happier, more productive workforce.
However, the same can’t be said if an employee wants to spend their time downloading files from a dodgy website or visiting other sites that are notorious for malware.
You can prevent much of the risk by blocking certain websites, but this isn’t a fool-proof system, so you should also include a policy prohibiting employees from visiting any site that you deem unsafe.
The policy should clearly state the types of site that are off-limits and the punishment that anyone found violating the policy will receive.
Get help creating your security policies
Documenting your policies takes time and effort, and you might still overlook key issues. That’s why we created our bestselling ISO 27001 Information Security Policy Template.
This customisable tool enables you to create policies that aligns with the best practices outlined in the international standard for information security, ISO 27001.
Whether you want to make sure you have complete coverage of your information security concerns or simply want to speed up the documentation process, this template is an ideal resource.
A version of this blog was originally published on 15 January 2019.