INFOGRAPHICS
Starting a new IT security policy?
Consider these key policies and procedures
The absence of an IT security policy may highlight gaps in a company’s security and compliance posture. An effective policy serves as a risk-management plan addressing your company’s use of its technology solutions of choice. Your IT security policy will be made of multiple policies working together to maintain the confidentiality, integrity, and availability of your organization’s systems. An employee or committee may create your IT security policy, and it should be tuned to meet the unique needs of your company and its people. Your policy should be regularly reviewed and adapted to address evolving business and compliance requirements.
What is an IT security policy — and why does your business need one? An information technology (IT) security policy sets rules and procedures for the use of your company’s IT resources, with the goal of meeting user needs while protecting your company’s data and systems from unauthorized use. It is an essential part of your organization’s broader cybersecurity plan.
ACCEPTABLE USE POLICY
Describes guidelines, rules, and restrictions regarding use of organizational IT assets, to which employees must agree in order to utilize those assets
NETWORK SECURITY POLICY
Outlines rules for network access, describes how policies will be enforced, and provides an overview of a company’s security environment
NETWORK ACCESS POLICY
Establishes rules for access and use of a company’s network infrastructure
WIRELESS POLICY
Outlines conditions that devices and users must adhere to in order to connect to a company’s wireless network
MOBILE DEVICE POLICY
Describes data management procedures employees must follow when using mobile devices and software for network and data access
E-MAIL POLICY
Outlines acceptable and unacceptable uses of a company’s electronic communication technology
PASSWORD POLICY
Establishes rules for setting strong passwords and using them properly in order to enhance the security of computers and applications
PHYSICAL SECURITY POLICY
Establishes rules for physical access to company premises
REMOTE ACCESS POLICY
Defines approved methods of remotely connecting to internal organizational networks
VIRTUAL PRIVATE NETWORK (VPN) POLICY
Outlines rules and practices for use of virtual private network (VPN) connections
OUTSOURCING POLICY
Describes how an organization and its employees may enter into agreements with external service providers to perform activities which would otherwise be performed internally
GUEST ACCESS POLICY
Defines company policy as to whether and how guests such as visitors and contractors may connect to an organization’s network
THIRD PARTY CONNECTION POLICY
Establishes standards for company access to third-party networks, as well as for third-party access to and use of a company’s networks
DATA CLASSIFICATION POLICY
Assesses all types of data under a company’s purview and classifies data according to sensitivity, value, and importance to the organization
CONFIDENTIAL DATA POLICY
Defines what information is considered confidential and how it should be managed
ENCRYPTION POLICY
Establishes what devices and media must be encrypted, and when data encryption must be employed
BACKUP POLICY
Defines what, when, and how information from business applications is periodically saved, and backups are regularly tested, to ensure that data can be recovered in the event of an incident
RETENTION POLICY
Establishes protocols and time frames for information retention for operational or compliance purposes
INCIDENT RESPONSE POLICY
Articulates how an organization will respond to an information security incident in order to limit its repercussions for customers and business operations
BUSINESS CONTINUITY PLAN
Describes a cross-organizational process for restoring or maintaining essential IT resources while operating in an emergency
CHANGE MANAGEMENT POLICY
Establishes a methodical process for making changes to IT, software, and security services
Vanta is the easy way to get SOC 2, HIPAA, or ISO 27001 compliant. Over 1000 fast-growing companies trust Vanta to automate their security monitoring and get ready for security audits in as little as two weeks. Simply connect your tools to Vanta, fix the gaps on your dashboard, and then work with a Vanta-trained auditor to complete your audit. We'll guide you throughout the process and help tailor your security monitoring and compliance to meet the needs of you and your customers. Vanta was founded in 2017 and headquartered in San Francisco.
Vanta automates compliance starting with SOC 2