Don't Forget to Create Good Security Policies

Ralph DeFrangesco

I am working on a presentation about IT security policies, in which I will cover three policy areas: Internet, e-mail and software usage. There is way too much material overall to cover in one post, so I am planning on three, one for each policy area.


Let me start by saying that many companies handle this differently. Some create one policy and include all three topics in it. Some create one document for each policy. There is no wrong or right here.


An Internet policy, as a general rule, communicates what Internet sites, or what types of sites, are appropriate and not appropriate for an employee to visit. Organizations need to put into writing that employees cannot visit inappropriate sites. This is determined by each organization but generally it will say something like, "employees cannot access Internet sites that are not appropriate for business use." In most organizations, then, this is implemented in software. A filter will block what an employee cannot access. Remember that software cannot be expected to block every site flawlessly, though, since there are just too many of them.


This process will soon create false positives for one reason or another. Employees will be blocked from legitimate sites while working and call IT to make a temporary or permanent adjustment to the filtering. In some companies, HR also will be notified, either at the same time as IT, or after the fact, by IT, of these types of situations. The documentation that HR will require to explain the access event creates a bit more work, but consider it part of the process of enforcing the policy.


What makes up a good policy? These apply to all of our policies:


  • It needs to be in writing. This is also a legal requirement.
  • Tell employees under what circumstances you will monitor them and that only authorized personnel will look at any results.
  • A team from across the organization should make up policies.
  • Have the company's attorney review all policies.
  • Clearly state what happens when the policy is broken.
  • Communicate the policies. Have all employees read and sign them yearly. Include them in the new employee orientation.
  • Keep the policy up to date.
  • Implement it fairly.


The good news is that most organizations today have a set of Acceptable Use Policies. My experience has been, though, that a lot of organizations fail to keep the policies up to date and they don't implement them fairly. Organizations have many, many policies and find it time consuming to keep them all up to date. However, these are policies that you do not want to let get stale. For instance, many companies now have policies regarding the use of social networks. It's a fast-moving area and if it's worth the effort to create and roll out a policy, it's worth the effort to keep it up to date. Otherwise, you've wasted your time creating it and you'll waste more trying to enforce it.


On a related note, fallible people implement policies. Policies have to be administered equitably, or what employees may refer to as "fairly." A company cannot play favorites in applying policies. If they do, employees will find ways to get around them -- as well they should.


IT Business Edge offers a sample Internet usage policy in the Knowledge Network, where you'll also find samples and templates for creating other policies, as well.


Those looking for a more thorough policy guideline may be interested in a complete IT policy kit.

Add Comment      Leave a comment on this blog post
Oct 21, 2009 12:14 PM Michael Argast Michael Argast  says:

One thing I'm starting to recommend as best practice is that there be a specific sub-set of your security policies dedicated to minimizing the risk of data loss - a 'Data Security Policy' if you will. This includes things like guidance on not duplicating data when unnecessary, appropriate approval processes before sharing data, encryption policies and more. As most of the security concern an organization has is actually about protecting the data, calling it out specifically in your policy is a good approach.

Michael Argast, Security Analyst, Sophos


Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.