Information security policies are an often-overlooked part of an organisation’s defence measures. An effective policy informs the way employees handle cyber security threats, ensures that they use defence technologies properly and indicates board-level support for cyber security.
In this blog, we outline six essential information security policies that your organisation must have.
1. Patch management
Patches fix bugs and vulnerabilities in an organisation’s systems that would otherwise allow cyber criminals to conduct an attack. Once a patch has been released, the vulnerability is made public so that organisations can apply the patch.
Unfortunately, that also means crooks are aware of the vulnerability, and they will attempt to exploit it before the organisation applies the patch.
To ensure this doesn’t happen, you should have a patch management policy in place. This enables you to keep track of patches and apply them promptly.
2. Access controls
Access controls ensure that employees can only view information that’s needed for their job. That means lower-level employees won’t be able to access sensitive information unnecessarily, reducing the risk of accidental breaches or malicious action.
3. Acceptable use
Most workplaces have come to accept that employees will spend a portion of their day doing non-work-related activities. When you’re sat behind a desk for hours on end, it’s only natural to occasionally check your emails or Facebook page. That’s even more true if your employees remain at their desks during their lunch break.
Most of these activities are relatively innocuous, but others (like downloading files from untrusted websites) come with risks that should be avoided. An acceptable use policy should state what kinds of websites and activities are off-limits.
4. Workplace monitoring
Whether an acceptable use policy is in place or not, organisations should implement a workplace monitoring policy.
Managers are often uncertain how much monitoring they’re allowed to conduct, so they should do their research. A 2017 ruling by the European Court of Human Rights restricted what’s legal, but there is still plenty of freedom for workplace monitoring.
The two most essential conclusions of that ruling are that, first, employers must be as clear and unobtrusive as possible. They must document the method and purpose of any monitoring activities, and they aren’t permitted to use secretive methods, such as spyware or physical monitoring.
Second, workplace communications, such as instant messages, are considered personal data under the GDPR (General Data Protection Regulation), so any monitoring must be accompanied with a lawful ground for processing.
5. Password creation
Hacked passwords are among the most common causes of data breaches, which isn’t a surprise when you see how many people use passwords like ‘123456’ and ‘Password’.
Organisations must have a policy that establishes strict rules for password creation. At the very least, all passwords should be required to contain a combination of at least eight letters, numbers and special characters.
6. Removable devices
As soon as you take a device outside the organisation’s premises, you create new risks. Crooks can exploit the lack of physical and network protections to infect the device with malware, which could spread throughout the organisation, or simply steal the device and access the information stored on it.
Some organisations combat these risks by banning removable devices altogether, but this might not be possible for you. The alternative is to establish limits on who can use removable devices, or to require that devices be scanned before they are plugged into company computers.
How effective are your policies?
You can find out how effective your information security policies are, as well as discovering the overall strength of your security measures, by taking our cyber security self-assessment.
This short questionnaire asks you about your defence measures and suggests ways for you to become more secure.