Nine IT security policies every IT department needs

Cybersecurity attacks can happen to all types of companies, whether early-stage startups or multinational corporations. As these threats grow, companies are increasingly subject to financial and reputational losses. For example, the recent ransomware attack on CNA Financial caused network disruption, impacted specific CNA systems, and cost $40 million.

Making sure your company has proper IT security policies minimizes risk and keeps your data secure.

However, it’s not only external cyberattacks that companies should be concerned about. Sometimes, the most significant damage comes from within.

68% of organizations confirm insider attacks are becoming more frequent

According to Cybersecurity Insiders’ 2020 Insider Threat Report, 68% of organizations say insider attacks have become more frequent over the past year. Such dangers can come from employees, vendors, or other trusted partners with easy access to network and company documents.

Nira’s recent survey data shows that over 45% of employees admit to taking documents from former employers. One of the reasons our customers use Nira is they are concerned that employees who leave the company still have unauthorized access to sensitive documents. Many companies have bad IT security policies/practices to prevent unauthorized use.

As a result of COVID-19, remote work has become the norm, with plans to shift some employees to remote permanently or a hybrid model post-pandemic.

From a security perspective, this will require a total reboot of policies, tools, and machines to better reduce risk.

IT departments should consider the following questions:

  • What security policies do you have in place to keep data secure and combat cybersecurity threats?
  • Are your cybersecurity policies able to keep up with changing workplace standards?
  • How does your online security stack up if you’re the owner of a small business without an IT team or person–or less sophisticated cybersecurity protection?

Security is a concern for companies of all sizes. Whether you have one IT person or 100, security is paramount for your company as you scale.

Why are security policies important?

When data breaches inevitably occur, you want your company to have a documented security policy to help ease the damage and keep your users safe.

It’s required for compliance regulations like Soc 2 and ISO, and it’s just good practice, in general, to show customers that they can trust you to protect their information.

Which IT security and policies should you have in place?

We’ll outline the nine most critical security policies you need to protect your organization from cybersecurity breaches.

1. Acceptable Use Policy

An Acceptable Use Policy (AUP) details how to properly access a computer network, service, or system. It is a standard onboarding policy for new employees; they need to read and sign the AUP before receiving a network ID. Inappropriate use could jeopardize the network system and even have legal repercussions. AUPs are kept current through regular audits.

2. Business Continuity Plan

A Business Continuity Plan (BCP) is important because it outlines what businesses should do in an emergency, allowing the company to continue to provide services and goods. It deals with the prevention of potential threats as well as recovery. Its secondary goal is to ensure operational continuity before and during the execution of disaster recovery.

Several key components of a BCP:

  • Identify who is on the team
  • Understand the data
  • Assess and prioritize the risks involved
  • Prioritize all essential services
  • Determine the cost and build of necessary solutions
  • Develop policies and communicate (both internally and externally)
  • Test and evaluate

3. Change Management Policy

Whenever changes are made to an information system, they need to be formally tracked.  The objective of the Change Management Policy is to give the rest of the organization insight and visibility into the proposed changes and ensure these changes do not have a negative impact on customers or the company.

Change management generally includes the following stages, which you can find detailed in sample policies and templates:

  • Planning: Design, schedule, and plan all changes to your IT systems.
  • Evaluation: Evaluate the change, including the risk based on the priority level of service and the nature of the proposed change, determining the change type and the change process to use.
  • Review: Review change plan with peers as appropriate.
  • Approval: Gain approval from the relevant parties to initiate the changes that have been designed.
  • Communication: Communicate about any changes with the appropriate parties. Inform them of any modifications that can be expected, the time frame of when the changes will be initiated, and any other necessary details about the changes.
  • Implementation: Implement the changes according to the written plan and during the scheduled time.
  • Documentation: Record any changes, reviews, and approval information in the plan.
  • Post-change review: Review the change and adjust for future improvements.

4. Data Breach Response Policy

A Data Breach Response Policy details the immediate action and information needed to manage a data breach event. Data breaches can come from both external and internal forces. Some are caused by external threats such as cybercriminals while others are more benign and are caused by human error.  No matter their cause, no data breach is suitable for your company, so having an easy-to-follow process, which all of your team understands, will reduce risk to your business.

More: Nira offers complete visibility and control across all documents that exist in your Google Workspace, showing who has access.

5. Disaster Recovery Plan

A Disaster Recovery Plan includes detailed instructions on responding to unplanned incidents such as power outages, cyberattacks, natural disasters, and any other disruptive events.

The plan consists of identifying critical IT systems and networks, creating strategies for minimizing the effects of a disaster, and outlining the steps needed to restart, reconfigure, and recover systems and networks so an organization can continue to operate or quickly resume critical operations.

Disruptions can lead to lost revenue and dissatisfied customers. The longer the recovery time, the more significant the business impact. Therefore, a good Disaster Recovery Plan should enable rapid recovery from disruptions.

6. Incident Response Policy

An Incident Response Policy complements your Business Continuity Plan. It describes your company’s response to an information security incident and should be documented separately from your Disaster Recovery Plan.

It should include:

  • Who the incident response team is
  • Staff members responsible for testing the policy
  • Each team member’s role, means, and resources to recover data.

The incident response includes preparation, identification, containment, eradication, recovery, and post-incident phases. This response policy ensures that the right people are able to contain a cybersecurity incident in the right amount of time.

7. Information Security Policy

Information is a precious asset. Not just for your businesses, customers, and employees, but also for your competitors and, more worryingly, for cybercriminals. Companies face threats in other areas, from having their assets held for ransom (as seen with CNA Financial) to disruption and loss of reputation.

All of this demonstrates the importance of:

  • Recording how your organization protects its data and assets
  • Outlining how you expect your employees to look after your assets
  • Defining your procedures and knowing what to do when an incident occurs

Your Information Security Policy is the place to record this in a clear way that your employees, customers, and other business partners can understand. Customers may need to read this policy, and if you are doing an excellent job at protecting your information, you’ll want them to.

8. Remote Access Policy

The Remote Access Policy guides remote users connecting to the company network from any host. This policy also extends to the policies governing network and computer use in the office. When implemented correctly, it helps protect the network from potential security threats. This policy can also help companies save money; according to IBM, data breach costs rose by an average of $1.07 million due to remote work during COVID-19.

When creating a Remote Access Policy, the following should be included:

  • Email usage
  • Information security and confidentiality
  • Access and equipment ownership guidelines
  • Data and network encryption standards.
  • Network connectivity, e.g., VPN access
  • Trusted versus non-trusted sources and third-party vendor access.
  • Access and authentication mechanisms, including password rules.
  • Standardized hardware and software: includes firewalls and antivirus/antimalware programs.
  • Physical and virtual device security (it shouldn’t allow unauthorized users to use work devices)

9. Vendor Management Policy

Every company that works with external and third-party vendors should have a Vendor Management Policy in place. It allows companies to assess how much risk an external vendor brings to their organization and helps them choose vendors more wisely and efficiently.

When choosing a vendor, consider the following points:

  • What compliance and security frameworks does the vendor have in place? For example, are they SOC 2 compliant?
  • What does their Service Level Agreement include?
  • What access to your network will they need?
  • What access controls do you have to deal with them?
  • What policies do you have for offboarding them?

More: The Ultimate Manual to Vendor Management Best Practices

Steps to mitigate cyberthreats

All security policies must be clear, with the right level of detail for all employees, and easy to understand, especially for non-security experts.

Several important steps to mitigate cyber threats:

  • Teach employees how to identify signs of malicious activity and what to do if they are suspicious.
  • Update company software and systems. Make sure all devices are updated with the latest versions of their operating systems.
  • Conduct top-to-bottom security audits. These audits review the security practices and policies of your central IT systems and end-user departments and examine remote site compliance with security policies.
  • Have regular audits from your vendors and business partners.
  • Perform regular data backups that work. Data backups and disaster recovery measures need to be tested at minimum once a year.

Organizations, big and small, must strengthen their cyber protection and have security policies in place. No company can afford to be unprotected from cyber threats.

To see what Nira can do to protect your company’s documents from unauthorized access, try a demo today.

Nira is a real-time access control system that provides visibility and management over who has access to company documents in Google Workspace, with more integrations coming soon.