Data Security Policies: What’s Important?

By the DynaSis Team

In past articles, we have discussed the value of written policies to direct and define expectations for corporate security. We have talked about the importance of having strong employee security policies that not only educate but also clarify what behaviors are unacceptable—and potentially actionable.

As we head into a year predicted to be more dangerous than ever before in terms of cyber-risk, we offer you a list, developed with the input of DynaSis’ in-house security experts, of the principal elements a data security policy should include. When complete, such a resource will help to manage the activities and behaviors of personnel and provide support for the organization’s risk management strategy.

Nine Essential Elements of a Best Practices Data Security Policy

Data Privacy: What sensitive/confidential data the organization retains (including a plan for classifying data, if uncertainty exists) along with a program for securing, retaining and disposing of it. If the firm is subject to regulatory mandates, such as HIPAA (Health Insurance Portability and Accountability Act of 1996), how the firm will comply.

Password Management: Rules that define the content of passwords; how often they must be changed; how they are administered.

Internet Usage: What personal Internet usage is allowed at the workplace, if any, with a list of restricted site types. Information to help employees identify and avoid risky/infected sites. Also should include restrictions on Internet usage outside the corporate network (e.g. unsecured Wi-Fi sites) as well as prohibitions on establishing unauthorized Internet access points within the network.

Email Usage: How and where personnel can retrieve and send email, including prohibited behaviors such as transmitting corporate email over unsecured networks or allowing non-employees to send messages through a corporate account.

Company-owned devices: How and where company-owned devices may be operated; restrictions, if any, on the types of data stored on them; procedures in the event of damage, theft or loss.

Employee-owned mobile devices: Whether or not company data (including email) may be accessed or stored on personal devices. If personal devices are used for work and are company controlled, restrictions similar to those for company-owned devices may apply.

Social Media: Whether or not, and how, employees may use social media at the workplace or on company-controlled devices. Prohibitions, if any, on sharing information about the company, its personnel and its operations over social media.

Software Copyright & Licensing: Prohibitions against installing and using unapproved or unlicensed software on company servers. May also include how the company maintains its software licenses and how often it updates that software.

Security Incident Reporting: Policies and procedures for reporting security incidents. Incidents include not only activities (e.g. loss or theft of a mobile device) but also potential attempted intrusions, such as receipt of a suspicious email message. Personnel should be encouraged to report any activity or communication they are not certain is safe.

This list is extensive, but it is not exhaustive. Depending on the organization, industry and business model, additional information might be appropriate for inclusion. We have also excluded complex technology-layer policies, such as encryption policies and incident response procedures. Those are a discussion for a different day.

DynaSis has been Atlanta’s premier IT support services provider for more than 23 years. As an IT company working with small to midsized businesses (10 to 150+ users), DynaSis has developed a unique 12-layer approach to network threat protection, ransomware prevention and crypto virus threat elimination. The DynaSis Business Cloud functions through a highly secure environment with full real-time data backup. Please contact us at 678.218.1769 or visit our website at www.DynaSis.com.