Stephen Palamara, TCC Director of Business Development
Good security policies are more important now than ever. Since the beginning of the COVID-19 pandemic, there has been a surge in cybercrime including phishing attacks and other types of scams.
One type of security policy is externally focused and technology-oriented. This type of policy helps prevent external threats and maintain the integrity of the network.
The other type is user focused. Defining policies for appropriate use of the network can protect companies from liability if an employee violates the policy.
This article published on the Tripwire website outlines some considerations for creating a successful Acceptable Use Policy https://www.tripwire.com/state-of-security/risk-based-security-for-executives/risk-management/7-things-consider-creating-acceptable-use-policy/
- CONSIDER IMPACTS BEFORE ESTABLISHING RULES
The article suggests “If you haven’t gone through the process of identifying risks and the impacts of those risks, it’s really important to have some kind of discussion or risk assessment before drawing up rules that may or may not fit your organization.”
2. DEFINE WHAT DATA MATTERS AND WHY
“When this is well defined up front, it will create an expectation that staff can apply generally even if they forget a specific rule defined in the policy.”
3. DEFINE ANY COMPLIANCE OR LEGAL CONCERNS
“A good policy should speak to both best practices and compliance standards.”
4. SOLICIT FEEDBACK FROM STAKEHOLDERS AND REVISIT POLICY
“Even if things are going well and you have established a strong culture, your policies will need to adjust over time. New staff will come on board, and they will need to be taught the proper rules, as well. Plus, everyone needs a refresh once in a while. This feedback loop is very important and will help make policy stronger and easier to manage.”
5. CONSIDER PERSONALLY OWNED DEVICES THAT ACCESS COMPANY DATA ASSETS
“Ultimately, the most valuable part of your system is the data you control. In general, organizations that have major breaches or loss of data face significant challenges moving forward. Therefore, your policy should focus on controlling and securing data. As such, I would encourage any organization that allows staff to “Bring Your Own Device” to consider device usage as part of their Acceptable Use Policy.”
6. SOCIAL MEDIA
“Social media can be a very productive tool for organizations but obviously, it can also be a time waster and, even worse, a potential outflow of sensitive information or a tool as part of a phishing scam. Social media also transcends the IT infrastructure of the organization, so it’s important to take a broad view of this just like you would with personally owned devices.”
An Acceptable Use Policy can help reduce the risks associated with data security and IT management, but it must be tailored to meet the needs of each organization.
To learn more about TCC’s Security Services please visit our website https://www.e-tcc.com/security-services.