Security Policies: Why They Matter and Where to Start
Security policies identify the rules and procedures for using an organisation’s IT assets and resources. The goal of such policies is to address security threats and implement strategies to mitigate risks. They should also define how to recover when an incident occurs. Regardless of size, every organisation should have documented IT Security Policies. For some, it’s a requirement to comply with various regulations and standards, such as GDPR and ISO. Large organisations typically have extensive policies in place, but when you’re a small or mid-sized business, how do you know what you need as a bare minimum? Read on to get a checklist of items to consider.
Your security policy checklist
In most situations, security is not your core business. Yet, most people encounter IT security threats like phishing emails, baiting or malware, on a regular basis. It can be helpful to provide guidelines for employees to respond to such threats, and share best practices to avoid them. Here are some basic considerations:
- Drive security awareness: train your team to recognise security threats, not just during onboarding, but regularly. You could carry out surveys and quizzes to test your team’s awareness over time. During these trainings and surveys, you should cover topics like:
- Workstation security: for instance, how do you know if your WIFI connection at home is secure?
- Virus protection: for example, keep a separate computer for personal matters and work, and use an approved antivirus for extra protection.
- Recognising security threats: teach your team to identify common security threats and (targeted) social engineering attacks.
- Password hygiene: develop a password policy and share best practices for managing passwords.
- Assess your suppliers and software vendors with a security lense: before using a new tool or starting a new business relationship, find out if your data is safe with that vendor. Map your privacy and business-sensitive data and determine the risk level. If you will be sharing sensitive or personal data, ask the vendor to sign a Data Protection Agreement and/or a Non-disclosure Agreement. Evaluate the vendor’s security policies as well. Is the data encrypted? Can you have various roles/access management permissions? If you’re a software vendor yourself, know the applicable intellectual property agreements as well. For example, if you will be using another company’s software to code your own, will the code belong to you or is it theirs? These are essential considerations to guarantee a good relationship and protect business continuity.
- Keep backups and regularly update your systems: if one of your employees ends up with ransomware on their computer, backups can be a lifesaver. Make sure you encourage employees to back up their harddrive regularly and safely. Backups are crucial for any organisation’s IT systems as well. It’s also critical that you keep your (operating) systems up-to-date to get the latest security patches.
- Know your employees: if your organisation works with sensitive data, such as health records or financial information, it’s important to know who you hire. Some organisations request a “certificate of good behavior” for potential hires, for instance.
- Get a certification or audit to continuously improve your processes and policies: when you have regular audits, you can drive continuous improvement. This field changes a lot, so it’s easy to fall behind. Obtaining a certification, like ISO 27001, can help. For organisations in the Netherlands, NLDigital’s Data Pro code is another alternative. If this is not an option for your business, you could consider subscribing to information security newsletters and resources to stay updated.
Of course, an information security policy is only as good as its implementation.
How do you enforce a security policy?
Like in a family, there are different approaches to enforce rules in a company. Some take a more lenient approach where trusting employees takes the front seat. Others prefer a more top-down approach where the managing directors will oversee the whole process. There’s a balance there that needs to be struck. It’s important to motivate your team and get them to understand why the policies are there and how they’re helpful. At the end of the day, these policies should not only be for IT people. Every employee must comply with them. This is important for customers and stakeholders to work securely with your organisation.
Security at Visma Connect
At Visma Connect, we have a lot of security policies in place. We hold security certifications like ISO 27001 and the Dutch Data Pro code. Our employees take regular awareness sessions as well. This is important for our customers. It gives them peace of mind to know that Visma Connect is constantly applying policies and procedures to keep up with an ever changing landscape of threats and vulnerabilities. We are a dependable partner and take every care to keep assets secure.