The key to effective IT security is a sound information security policy - a document stating how you plan to protect your IT assets.
The policy should be endorsed by senior management and continuously updated as your technology and employee requirements change.
As a minimum, your information security policy should include:
- the scope, objective and importance of information security to the business
- a statement of intent from management supporting the goals and principles of information security
- a brief explanation of minimum standards, procedures, requirements and objectives of particular importance to the business
- definitions of roles and responsibilities for information security
- details of the process for reporting, responding to and resolving security incidents
- references to supporting documentation, such as more detailed security policies, procedures, implementation guides or security specifications and standards
The security policy should also address:
- your business' use of the internet, and the related threats
- the internet services that can be used
- who authorises connections
- who is responsible for security
- what standards, guidelines and practices should be followed
You should also consider setting up an acceptable use policy as part of your security policy. This should describe how the business plans to educate its employees about protecting its assets. It should also explain how security measures will be carried out and enforced. See our guide on how to introduce an internet and email policy.
0 comments:
Post a Comment