Hello Folks! Welcome to Our Blog.

Most home users can close their eyes and happily pass through this article. That’s not to say it doesn’t apply, just that not many home users want to get burdensome and official with their family, and this article covers the scary topic of Security politics

What is a security policy?

A security policy is a statement (usually written) of what the users of your system can and cannot do. It also usually covers some aspects of the penalties that will be taken for breaches of the policy. (Now see why not many home network owners implement a security policy!)

A comprehensive security policy states the obvious as well as the obscure:

  • If you don’t want your staff to use work computers to surf the web for private purposes, say so. Also tell what will happen if they are caught doing it. And tell them why (misuse of business resources, lost time, traffic costs, impact on other business processes, danger of virus / Trojan infections … the list is (almost) endless).
  • If you don’t allow users to take their laptops home, let them know.
  • An often overlooked threat is users who fairly legally take corporate laptops home and then connect them to unsecured home networks. Make sure they understand that the company’s security policy applies ALL THE TIME, even when they are at home or on vacation in the Seychelles.

Make sure the policy is consistent and clearly written. Consistency is especially important in its applicability. If the policy does not apply to the boss’s son or IT director, make it clear in the policy and explain why. Users often use the excuse “Well, he did it, so why shouldn’t I?”

Of course, if the policy is too big, no one will read it, so use all the advertiser tricks to drive the point home: login prompts, browser interfaces you have to click ‘read and understand’ to continue, training and question-and-answer sessions, bulletin board postings, regular follow-up, and well-publicized penalties, from verbal and written warnings, to and including termination for very serious or repeated offenses.

And, once again, make sure EVERYONE knows it, what it says, and to whom it applies. An important issue that is often overlooked is that senior staff must be more careful in applying it than junior secretaries. After all, a CFO’s laptop is more likely to contain potentially business-destructive information than a salesperson’s PDA.

Why bother having a security policy?

Your security policy is a bit like an insurance policy. No insurance policy stopped an accident or prevented a disaster directly, but such documents:

  • Inform users of what they can and cannot do while staying within the rules – they ignore the policy at their own risk!
  • Tell users that you know what they are doing and what action you will take if they break the rules.
  • Give ammo if any action is necessary
  • It provides your IT designer and support staff with a baseline for implementing your security architecture.
  • And possibly most importantly, prevent any offender from saying “I didn’t know …” or “You never told me …”

Creating a security policy is always a two-way process: often the IT user / designer / support will come to you and ask, “But what about …?”

Remember: no security policy is really finished. The poles move, new facilities, services and threats are developed. Your IT team should review your security policy every quarter, and the IT management team or the Board should review it annually.

Leave a Reply

Inapurrear.com
Recent Comments