Effective Policy: Policy Definitions

Administrative Access Policy: Defines when and how IT staff is allowed to use administrative privilege to access corporate data, systems and network equipment. It also regulates administrative passwords and audit trails. This policy is the starting point for establishing a ‘security culture’ within your IT department.

Security Incident Handling Policy: Defines what constitutes a ‘Security Incident’ and then details a set of guidelines for handling the incident. This policy gives guidance to both IT staff and non-IT staff and as a result has the potential to involve your whole staff in some level of maintaining corporate security.

Password Policy: Defines what appropriate passwords are and how to manage them. The training portion of choosing good passwords is a very effective way to initiate a security mindset with all staff, but especially new staff.

Acceptable Use Policy: Defines appropriate use of Internet, E-Mail and IT assets by users. A large percentage of security breaches occur as the result of innocent but dangerous misuse of these resources.

Electronic Message Retention Policy: Defines standards for retention and storage of e-mail and instant messaging communications. This policy determines which messages must be retained and for how long, in order to minimize liability and conform to government regulations. This is a key element of Sarbanes-Oxley compliance that is anticipated to grow in its reach to eventually include non-public companies. Apart from any regulatory requirements, effective electronic retention is important for financial, legal and HR reasons. Given the valuable operational benefits from proper message retention, this represents an important addition to corporate policy.

E-Mail Policy: Takes the foundational policies contained in the Acceptable Use Policy and gives specific direction relating to the use of E-Mail. This policy sets the expectation as to whether E-mail is purely a business tool or a mixed business and personal tool. Due to the potential for security breaches associated with potentially unprotected personal web-based e-mail accounts, Lithik Systems recommends that policy forbid access to personal accounts using company equipment.

Instant Messaging Policy: Takes the foundational policies contained in the Acceptable Use Policy and gives specific direction relating to use of instant messaging or ‘chat’. Due to the potential for security breaches associated with instant messaging, Lithik Systems recommends that policy forbid its use on company equipment with the possible exception of internally hosted messaging or messaging utilized by vendors to provide customer support.

Wireless Communication Policy: Defines standards for wireless systems used to connect to the organization’s networks. As personal home use of wireless devices grows allowing laptops to connect to the main network and ultimately the Internet, the risk increases that staff members might take it upon themselves to install a wireless router in their office to allow for more freedom to move a laptop around the office while continuing to work.

Information Sensitivity Policy: Information is one of the primary assets of any organization. The loss, theft or corruption of that information, especially confidential customer data, represents a tremendous risk management responsibility. The Information Sensitivity Policy forms the framework for the management and protection of critical corporate data.

Backup Policy: Provides the procedural expectations as to how critical information is managed to enable recovery in the event of loss or corruption of key data systems. This policy sets a standard for prudent management at both the desktop and server level that ensures that a disaster does not result in permanent data loss.

Security Policy Oversight: Security policy is a moving target due to the dynamic nature of IT threats as well as the rapidly changing regulatory environment. Regulations specifically assign the management of these policies to corporate officers. Defining procedures for the maintenance of security policies ensures that responsibilities are clearly defined and communicated to everyone involved. Furthermore, this policy articulates specifically who is responsible to champion this issue within the organization.

Network Security Procedures Policy: In the course of day-to-day management of the IT infrastructure, there are specific activities that have a direct impact on overall security. It is important to articulate as a matter of policy what the expectations and procedures will be to assure that these activities occur in a predictable, complete and effective manner.

Physical Security Policy: Defines how the hardware assets of the organization will be secured to avoid theft, damage or unauthorized access to these repositories of critical corporate information. An additional concern would be the expectations of how mobile computing devices are secured when offsite.