Policy

Remote access policy

This policy outlines guidelines and processes for requesting, obtaining, using, and terminating remote access to organization networks, systems, and data. It applies to scenarios where employees connect remotely to in-house data centers as well as offsite facilities, such as cloud providers.

From the policy:

Secure remote access to company systems and networks is now a way of life for most companies. As corporate conglomerates, small businesses, and brick-and-mortar shops fade away in favor of a distributed offsite workforce, companies and employees can profit from the greater convenience and efficiency provided by remote access. Combined with a BYOD (bring your own device) policy, a remote access implementation can lower equipment costs, reduce office overhead, and facilitate employee productivity.

However, the advantages of remote access also include some challenges that are more easily surmounted by onsite staff: ensuring that only authorized personnel can access company resources, securing devices not directly under IT control (nor available for hands-on support), and properly handling employee terminations.

Policy details

Only users with a demonstrable business need to connect to company resources shall be provided with remote access capabilities. This will obviously apply to offsite workers by default, but onsite workers should be screened accordingly. Users with access to credit card data, for instance, may be ineligible for remote access capability if this would pose a security or financial risk. Users whose job responsibilities involve hands-on or face-to-face interaction may also be restricted from remote access privileges.

Employee eligibility to remotely access the organization’s computer network will be determined by their respective managers. The IT department must also approve each staff member’s remote access use.

Network security policy

This policy will help you create security guidelines for devices that transport and store data. You can use it as-is or customize it to fit the needs of your organization and employees.

From the policy:

Summary
Every company’s network is made up of devices that transmit and store information. This can include internal and external systems, either company-owned or leased/rented/subscribed to.

To protect company data and reputation, it is essential to ensure that the network is secured from unauthorized access, data loss, malware infestations, and security breaches. This must be done via systematic end-to-end controls.

Policy details
The IT department will be responsible for implementing, adhering to, and maintaining these controls. For the purposes of this document, “all devices” refers to workstations, laptops, servers, switches, routers, firewalls, mobile devices, and wireless access points. Where possible, these guidelines will apply to external remote systems and cloud services.

Configuration guidelines
All devices should be configured using strong administrative controls, including complex passwords or SSL keys (which must be kept in a centralized password/key database that only the IT department can access). These passwords/keys must be rotated every 90 days or when an IT staff member has been terminated.

All devices should be set up with a “least privilege necessary” model, whereby access is provided only to employees who require it to do their jobs. Administrator accounts should be kept to a minimum and provided only to authorized members of the IT department (or elsewhere if approved by IT).

All devices should have only the access, services, and functions needed for them to function properly. Critical systems storing confidential data should be protected by firewalls with the bare minimum of ports opened only to those sources that should access them.

Where applicable, devices should be subject to hardening guidelines as provided by the vendor, insofar as these do not interfere with desired functions or access.

Password management policy

Password-driven security may not be the perfect solution, but the alternatives haven’t gained much traction. This policy defines best practices that will make password protection as strong and manageable as possible.

From the policy:

Employee passwords are the first line of defense in securing the organization from inappropriate or malicious access to data and services. In many cases, compromised user accounts have been turned into stepping stones for administrator-level penetration by unauthorized individuals, resulting in catastrophic, well-publicized data breaches.

Regardless of whether accounts are used for testing, workstation setups, day-to-day use, or superuser/root privileges, establishing and maintaining a strong password management policy is the foundation of a secure organization.

Purpose
This policy provides guidelines for the consistent and secure management of passwords for employees and system and service accounts. It includes mandates on how passwords should be generated, used, stored, and changed, as well as instructions for handling password compromises.

General requirements
Blank or easily guessed passwords (such as “password”) are never permitted for any account, no matter how trivial. Passwords should not contain dictionary words such as “kitchen” or “automotive.”

Passwords must be complex, containing at least eight characters and a mixture of lowercase, uppercase, numbers, and punctuation characters. For instance, “B3llt0Wer!” should be used in place of “Belltower,” as it is considerably more secure.

Passwords should never contain security-sensitive information, such as an employee’s social security number or date of birth. They also should not include public information related to an employee’s personal life, such as the names of their children, hobbies, favorite sports team, etc.

Use different passwords on different systems. For example, a Windows account password should not be the same as a QuickBooks password. It is especially critical that external accounts (such as on third-party websites such as Salesforce.com) do not have the same passwords as internal accounts, to protect from data breaches against these external targets.

Passwords used on company systems should never correspond with employee personal account passwords (e.g., Windows account and Gmail account passwords must be separate).

Users must not write passwords down or send passwords through email/instant messaging services.

The IT department will not ask users for their passwords but will instead set temporary passwords for employees who can’t log into their accounts.

Employees should consider using a password management program like LastPass, KeePass, or Password Safe to store their passwords in a central encrypted database secured by a master password (which is subject to the same guidelines described here). If such a program is used, it should be configured to auto-lock when the system is idle and to clear any passwords in the clipboard when not in use.

Risk Management Policy

Risk management involves the practice of addressing and handling threats to the organization in the form of cybersecurity attacks and compromised or lost data. The process of establishing appropriate risk management guidelines is critical to ensure company operations and reputation do not suffer adverse impact.

It’s not an easy process, achieving a sound risk management foundation, because of all the moving parts involved: Users, systems, network, data, remote or cloud locations, and other elements can produce a level of complexity difficult to tame. The approach must involve both the overall forest as well as individual “trees.”

The purpose of this Risk Management Policy from TechRepublic Premium is to provide guidelines for establishing and maintaining appropriate risk management practices. This policy can be customized as needed to fit the needs of your organization.

The Risk Management Policy includes:

  • How to establish duties of the policy owner, policy custodian and audit team
  • Risk categories
  • How to identify insurable vs. non-insurable risks
  • How to conduct risk assessments on key suppliers/third party vendors
  • How to implement controls
  • How to establish incident response and investigations
  • Protective monitoring
  • Violations and penalties
  • Acknowledgment of Risk Management Policy form
  • And more!

Safeguarding customer information policy

Data breaches can cost companies tens of thousands of dollars or more and can pose a significant risk to company operations and reputation. Customer information is usually one of the favorite targets of hackers as it entails confidential details which can be used to commit property or identity theft. Even innocent mistakes such as a lost mobile device which contains (or provides access to) customer information can wreak havoc.

With this in mind, it’s important to establish sound principles for safeguarding customer information.The purpose of this policy from TechRepublic Premium is to establish standards for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customers’ proprietary information and consumer information.

This policy can be customized as needed to fit the needs of your organization.

From the policy:

The IT department/department of security will be responsible for planning, implementing, and maintaining protective measures for information security.

Because data is collected, processed, and managed in different ways based on department functions, management within each line of business is responsible for working with the IT department/department of security to develop and implement appropriate department-specific procedures to comply with this policy.

 

Information Ownership Policy

Information security policy

To protect your information assets, you need to define acceptable and unacceptable use of systems and identify responsibilities for employees, IT staff, and supervisors/managers. This policy offers a comprehensive outline for establishing rules and guidelines to secure your company data.

From the policy:

Employee responsibilities
An employee who uses the company workstations or systems to conduct business operations must:

  • Ensure that all equipment use is for business/professional reasons.
  • Access only information that is needed to perform their jobs or assist others in doing so as part of the valid scope of their duties.
  • Be responsible for the content of all data, including text, audio, and images they share internally or externally. All communications should have the employee’s name attached.
  • Be responsible for all actions/transactions performed with their accounts.
  • Use passwords and screen locks on company-owned systems or devices, or those that have been approved for access to company data.
  • Log out when leaving a workstation for an extended period.
  • Store all shared passwords (such as for departmental accounts) in a centralized and encrypted password database, such as Password Safe or KeePass. The main password for these databases must also be kept private and provided only to authorized individuals.
  • Change passwords per company policy (e.g., every 90 days).
  • Know and abide by all applicable company policies dealing with security and confidentiality of company records.

Information security incident reporting policy

Make sure your employees know how to spot potential security breaches and how they should respond. This policy describes the signs that might point to a security incident and offers guidelines on the steps they should take.

From the policy:

Summary
Confidential information must be kept secure to protect the business and its staff. System or network breaches and data loss can result in severe consequences for organizations. There are numerous real-life examples of publicized intrusions that produced damaging results, and they’ve proven that technological safeguards and a strong employee commitment to policy are essential tools in preventing and responding to information security incidents.

With this perspective in mind, the proper channel and process for reporting security incidents that might compromise data integrity is of utmost importance for all employees in order to maintain business operations.

Incident reporting requirements
The following examples are possible signs that an information security incident may be in progress or may have already occurred. Some of these may be legitimate occurrences that are a normal part of daily operations—but others may be a sign of a deeper threat. Employees should operate from the standpoint of whether these examples (or others not listed) are expected or unexpected:

  • Strange application behavior, such as programs that mysteriously close or from which data is missing
  • Excessive system crashes
  • Abnormally slow or poor system performance
  • Reports that they have sent out spam or unwanted emails
  • Inappropriate pop-up ads
  • Locked accounts or reports that they have attempted to logon unsuccessfully, especially when they have been away from their system
  • Remote requests for information about systems and/or users (e.g., individuals claiming via phone or email to be help desk staff and asking for passwords)

Disaster recovery and business continuity plan

 

Natural and man-made disasters can jeopardize the operations and future of any company, so it’s critical to develop a plan to help ensure ongoing business processes in a crisis. This download explains what needs to go into your DR/BC plan to help your organization prepare for—and recover from—a potential disaster.

From the plan:

Objective
This Disaster Recovery and Business Continuity plan from TechRepublic Premium provides a roadmap that organizations can follow to implement sound disaster recovery and business continuity processes.

Audience
The plan is aimed at the IT department. The organization’s executive staff must cooperate and assist coordinating and supporting the plan’s design, implementation, and maintenance if the plan is to prove effective.

Purpose
This plan strives to achieve the following goals:

  • Ensure that the organization’s executives understand the need for a written disaster recovery and business continuity plan
  • Define the systems and data the organization must protect
  • Ensure compliance with any industry data archiving guidelines and/or requirements
  • Determine how the organization will back up and protect specified data from loss
  • Determine how and where the organization will recover operations should a crisis occur
  • Define which individuals, departments, or teams are responsible for which disaster planning and execution tasks

 

Business continuity policy

It’s an unfortunate fact of life in today’s world that both natural and manmade disasters can place businesses at risks both moderate and severe. Whether caused by earthquakes, hurricanes, blizzards, terrorist attacks, sabotage or some other element, business can be impeded from normal operations or shut down entirely if catastrophic events are powerful enough.

Having a plan to protect the business and ensure operational consistency is critical in today’s business environment to ensure revenue and reputation are not adversely impacted.

The purpose of this policy is to provide guidelines for establishing and following appropriate business continuity requirements.This policy can be customized as needed to fit the needs of your organization.

From the policy

SCOPE

All employees, whether full-time, part-time, contract workers, consultants, part-time staff, interns and temporary workers and other personnel are covered by this policy. It also applies to all company-owned equipment, employee-owned equipment used to conduct company business or material related thereto.

EXCEPTIONS

There are no exceptions to this policy except where permitted in writing by the HR and IT departments.

Accomplishment tracker

Having a structured way to keep track of your noteworthy accomplishments will help you be at your best when review time rolls around. It can also prime the mental pump when you’re feeling struck trying to revise your resume. This spreadsheet offers a basic framework for recording your achievements, feedback, and activities throughout the year, simplifying the self-evaluation and review process.

Documenting your year:

One of the most effective ways to keep track of your projects and activities is to jot down a few words about them—in real time or near real time—so you don’t forget what they were. You can include as much detail as you want, but even something like “Evaluated accounting packages” may be enough to jog your memory. You don’t have to invest a lot of time in this process, either—a couple of minutes here and there is much better than dealing with The Gaping Void of Lost Memories later.

If you have more than a couple of minutes, consider dashing off a sentence or two that captures what worked/didn’t work, what you might do differently next time, and any data you can scare up that supports the success of the projects you’re most proud of. How should you approach this recordkeeping process? You could go old school and write on a legal pad or in a calendar book. You might take the spreadsheet route, maintaining a workbook with tabs for various categories of events and activities. You could record voice memos or use a note-taking app like OneNote, Evernote, or Google Keep. And there are scads of online and mobile journaling apps out there waiting to make this an efficient and painless task. The main thing is to find an approach that’s sustainable for you—because the key is to stay as up to date as possible.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.