INFOGRAPHICS

Starting a new IT security policy?
Consider these key policies and procedures

The absence of an IT security policy may highlight gaps in a company’s security and compliance posture. An effective policy serves as a risk-management plan addressing your company’s use of its technology solutions of choice. Your IT security policy will be made of multiple policies working together to maintain the confidentiality, integrity, and availability of your organization’s systems. An employee or committee may create your IT security policy, and it should be tuned to meet the unique needs of your company and its people. Your policy should be regularly reviewed and adapted to address evolving business and compliance requirements.

What is an IT security policy — and why does your business need one? An information technology (IT) security policy sets rules and procedures for the use of your company’s IT resources, with the goal of meeting user needs while protecting your company’s data and systems from unauthorized use. It is an essential part of your organization’s broader cybersecurity plan.

ACCEPTABLE USE POLICY

Describes guidelines, rules, and restrictions regarding use of organizational IT assets, to which employees must agree in order to utilize those assets

NETWORK SECURITY POLICY

Outlines rules for network access, describes how policies will be enforced, and provides an overview of a company’s security environment

NETWORK ACCESS POLICY

Establishes rules for access and use of a company’s network infrastructure

WIRELESS POLICY

Outlines conditions that devices and users must adhere to in order to connect to a company’s wireless network

MOBILE DEVICE POLICY

Describes data management procedures employees must follow when using mobile devices and software for network and data access

E-MAIL POLICY

Outlines acceptable and unacceptable uses of a company’s electronic communication technology

PASSWORD POLICY

Establishes rules for setting strong passwords and using them properly in order to enhance the security of computers and applications

PHYSICAL SECURITY POLICY

Establishes rules for physical access to company premises

REMOTE ACCESS POLICY

Defines approved methods of remotely connecting to internal organizational networks

VIRTUAL PRIVATE NETWORK (VPN) POLICY

Outlines rules and practices for use of virtual private network (VPN) connections

OUTSOURCING POLICY

Describes how an organization and its employees may enter into agreements with external service providers to perform activities which would otherwise be performed internally

GUEST ACCESS POLICY

Defines company policy as to whether and how guests such as visitors and contractors may connect to an organization’s network

THIRD PARTY CONNECTION POLICY

Establishes standards for company access to third-party networks, as well as for third-party access to and use of a company’s networks

DATA CLASSIFICATION POLICY

Assesses all types of data under a company’s purview and classifies data according to sensitivity, value, and importance to the organization

CONFIDENTIAL DATA POLICY

Defines what information is considered confidential and how it should be managed

ENCRYPTION POLICY

Establishes what devices and media must be encrypted, and when data encryption must be employed

BACKUP POLICY

Defines what, when, and how information from business applications is periodically saved, and backups are regularly tested, to ensure that data can be recovered in the event of an incident

RETENTION POLICY

Establishes protocols and time frames for information retention for operational or compliance purposes

INCIDENT RESPONSE POLICY

Articulates how an organization will respond to an information security incident in order to limit its repercussions for customers and business operations

BUSINESS CONTINUITY PLAN

Describes a cross-organizational process for restoring or maintaining essential IT resources while operating in an emergency

CHANGE MANAGEMENT POLICY

Establishes a methodical process for making changes to IT, software, and security services