Is Your IT Security Policy Enough?
You can come up with the best game plan in the world, but it will be useless until it’s put into action. In the same way, simply having an IT security policy isn’t enough; it needs to be practiced to be worthwhile.
That’s not to say that the content of your IT policy is unimportant. What goes into your IT policy matters – a lot. You don’t want to base your strategy on a bad game plan, after all. It is to say, though, that the content of an IT policy is just one component of the policy’s success.
And, the success of your IT policy is important. IT policies form the backbones of any security program. They provide direction for users and system administrators to ensure the security of networks and systems. They limit the likelihood of a successful attack or data breach.
They reduce risk, and they protect your organization.
In order to do all of that, an IT policy must be optimized in three ways: in content, in administration, and in practice.
Simply having an IT policy isn’t enough to keep your organization secure. A combination of these three components will give it a much higher chance of success.
IT Policy Content: What Should Go Into an IT Policy?
So, what should go into an IT policy? Or, put another way: what makes the game plan good?
Every good IT policy has these components:
A Clear Objective
The first thing to iron out is the purpose of the IT policy. That may seem obvious or implied, but different objectives can shape the content of a policy considerably. Are you enacting a policy to comply with a certain set of standards – HIPAA, for example? Is it a general IT policy, created to reduce the risk of a data breach?
A clear statement of purpose will help to shape the standards contained in the policy.
Descriptions of Affected Users
It’s also essential to determine which users the policy will be targeted toward. Is the IT policy meant to apply to all network users? Do standards differ for system administrators?
Clearly identifying the audience will increase the relevancy of the standards.
History of Revisions
Including a history of revisions in your IT policy isn’t quite as formative as the selection of a purpose and a target audience, but it can help to maintain the relevancy of the policy. After all, you don’t want to include redundant or non-current standards. A history of revisions can also help affected users to keep track of progress and note any changes.
Standards for User Practices
This is the crux of any IT policy: the standards for user practices. For our purposes, we’ll use the common understanding of standards to mean: “a collection of system-specific or procedural-specific requirements that must be met by everyone.” Standards don’t refer to the entirety of the IT policy, but a policy will necessarily include IT standards.
Standards must be tailored to the needs of your organization, because each organization will have unique needs that must be addressed on an individual basis. These will typically be driven by the factors outlined above: objectives and audiences.
That being said, here are a few common issues that IT standards will nearly always address:
- How data is stored
- How data is shared
- How data is archived (if data is not touched for a period of time, what happens to it?)
- Who can access and share data
- Software usage (which programs are appropriate for which contexts, and how they should be used)
- Device usage (which devices are appropriate for which contexts, and how they should be used)
- General security standards (i.e. password usage, physical device security, file sharing protocols)
- Steps to take in the event of an attack or breach
Having appropriate standards for these and other relevant IT issues is vital in creating a good IT security policy.
IT Policy Administration: Who is in Charge of an IT Policy?
Policy administration is where the rubber meets the road.
Having someone in charge matters. A team will struggle to enact a good game plan without a coach to hold them accountable; players will do what seems best to them. Similarly, if nobody is in charge of your IT policy, nobody will follow your IT policy; with nobody to hold them accountable, users will do what seems best to them.
Administration is needed. The question is, though: who’s in charge?
Buy in From the Top is Needed
Common thought may suggest that the IT department should be in charge of IT policy administration. While that’s understandable (the IT department will inevitably help to shape and carry out components of the policy), the truth is that ultimate accountability for an IT policy needs to come from the executive levels of an organization.
Company culture is always set from the top. Holding an IT department accountable for the administration of an IT security policy means segregating the priority of security to IT. Following the policy becomes something that “the IT guys” want users to do, when it needs to be something that the entire organization expects users to do.
It’s easier for a user to brush off the continual requests of an IT person than it is to brush off the demands of their organization.
Depending on the size of the organization, this may mean that ultimate accountability for policy administration falls on the CEO, the CIO, or a CISO. Regardless of the exact role, though, administration accountability needs to lie with organizational executives.
IT Policy Practice: How is an IT Policy Carried Out?
Finally, with content and administration settled, the final component to the success of an IT policy is in consistent practice – in the way the policy is carried out.
As we’ve discussed, practice does flow from administration, but there’s more to it than that. While accountability for an IT policy should come from the top levels of an organization, its enactment will nearly always be carried out by the IT department.
Successfully carrying out an IT policy generally involves:
- Setting up systems to adhere to policy standards (technical set up)
- User education and training
- Periodic reviews to assess policy adherence
- Policy revisions based on needed changes
With proper practice, an IT policy can be truly effective.
Don’t Let Your IT Policy Go to Waste
Having an IT policy is essential, but as we’ve seen, simply having a policy isn’t enough.
Create a great game plan, and don’t let it go to waste. Take the time to develop great content, administrate correctly, and put your policy into practice.
And, if you’re feeling a bit overwhelmed by the prospect of doing it all yourself, don’t worry – we can help.
In the face of constant IT fires and daily dilemmas, creating and maintaining a great IT policy can feel overwhelming. Whether you need an entire outsourced IT department or supplemental help, we can work with you to ensure that the important process of IT policy enactment is enacted properly.
Take a look at some of our solutions today, and get in touch to start putting a great IT policy into action.