The rate at which companies are becoming dependent on digital technology to run their businesses is increasing, and it’s changing the landscape of business operations. No longer do we have the luxury of reactive IT security policies.
If your security policy doesn’t include plans for the following elements of IT security, you’re probably doing it wrong:
Schedule a regular network scanning routine.
Simply put, regular scanning routines for the company’s network should be scheduled and implemented. This keeps your network one step ahead of the game. Scan critical assets, check for vulnerabilities, maintain regular reports, and plan for remediation processes where they’re needed. This is one of the most basic, yet important steps towards data security.
Plan how and when patch management will be handled.
A security patch is code which can help to fix known, existing vulnerabilities, usually shortly after software is initially released. It’s essentially a security update designed to fix security or functionality problems before the next upgrade is released. They can be seen as an inconvenience, because occasionally they can briefly disrupt workflow, however they’re essential and should be required. Patch management should be included in the corporate security policy, including how, when, and by whom it should be implemented.
Define and execute plans for network services governance.
Remote working is becoming more commonplace, but that doesn’t exclude these workers from the need to maintain company security. Every corporate data security policy should outline expectations and definitions involving routers, switches, IP addresses, and network intrusions. An “acceptable use policy” should be written under this section as well.
Assign, review, and update accounts regularly.
The configuration of servers, operating systems, accounts, passwords, firewalls, and antivirus policies should all be clearly defined to employees, at whatever level is appropriate to their workstation.
It’s important to keep track of who has access to what accounts and when. A common source of major security issues is when an employee quits or is laid off, but their access to accounts is never transferred or revoked. A disgruntled employee can do a lot of damage. Policies regarding all IT assets should be implemented and monitored, keeping in mind each individual’s role, their need to access which accounts, and who is responsible for revoking their access when it’s time.
These policies should also be reviewed and updated at least twice a year, particularly when there are major upgrades or changes to the network, which may affect the way policies are implemented.
Maintain accountability through disclosure and clearly defined expectations.
A security policy is only as good as the people involved. Handing a 100-page security policy to your employees tends to be an ineffective motivator. Exclaiming that “there needs to be accountability” doesn’t work either. Real training and disclosure of consequences will get results, respect, and more accountability from your employees.
Additionally, the consequences should reflect the crime. Not all employees are IT specialists, and shouldn’t be held accountable for that level of know-how. It’s important to spell out expectations in advance, beginning with constructive criticism, and following through on consequences, once expectations should be reasonably understood.
Strategize for security breaches.
Under the unfortunate circumstance in which there is a breach in security, there needs to be a plan. Evaluation, reporting, documentation, and future prevention should all be considered.