No matter what size your company may be, you need to develop a clearly articulated security policy for your employees to follow at all times. More than 40% of UK businesses, some of which are very large, do not have such a policy. Without a written document devoted specifically to Information Technology security, you run the risk of engaging in haphazard practices that can jeopardise your company's viability.
Consider the benefits of creating and implementing well-defined guidelines regarding Internet and computer safety measures. Within your company, a policy shows employees that you value communication on important issues and that you don't take breeches in IT security lightly. Letting clients know that you have a well-honed methodology to deal with IT issues, is an excellent selling point when trying to attract and retain clients. A breech in security could result in downtime, lost business and a deterioration in customer confidence.
A written IT policy should be free of jargon and focus on both internal and external threats. In should be in manual form and needs to be incorporated into your company's daily business practices through staff training. Before implementing it, be sure to have it reviewed by a lawyer. Revisit and update the document yearly, as your company changes and the Internet evolves.
General topics that need to be addressed in your policy are:
- Availability: Who will be able to access information - in what way, for what reason, from what locations and for how long?
- Integrity: Describing how you will maintain information that is correct and up-to-date and that will not be changed, either purposefully or inadvertently, from what is accurate.
- Confidentiality: Ensuring that sensitive client, financial and contact information can be accessed only by appropriate personnel.
Your policy may be structured in a number of different ways. But be sure to keep it to the point and written in an understandable manner. It should not contain legalese. Topics to be addressed include the purpose of the document, its focus and scope, the description and definition of security responsibilities, actions to be taken when a breech occurs and sanctions for the purposeful infringement of the policy by employees. This length for this type of document is usually between 6 and 10 pages.
Additional and more specific policy issues, situations and concerns can be addressed in supplementary texts. Areas that may be treated include step-by-step procedures for dealing with certain operational responsibilities and tasks and specific day-to-day security practices when accessing confidential client and company information.
You may develop your own policy or there are numerous companies that can help you do so. If you are writing the policy yourself, take some time to download examples from the net, to inquire of friends or colleagues it they have policies that you may read and to check with your local chamber of commerce regarding any information they may possess.
You may access the publication Illustrated Handbook for Web Management Teams at http://www.cabinetoffice.gov.uk/e-government/resources/handbook/html/htmlindex.asp. Although it is not specifically a guide to developing IT policy, this document does contain various sections on government regulations pertaining to e-commerce security.