Business solutions
Membership packages
Money-back guarantee
New at the Forum
Why should I join?
Surviving the downturn
Our members
Testimonials
Work for the Forum
News and media
Research
Events
Working with the Forum
Log in


Problems logging in?

How to create an IT security policy
5 September 2009
Bookmark and Share
 
   
Email article : Print article : More articles like this
The chances are that you have been busy writing business plans and have in place a great sales and marketing process. But one thing many small business owners forget to create is a policy that helps you secure the IT used in your business.
By implementing a policy you will have laid out clear lines of responsibility and will ensure you and your team protect the reputation of your business.

Follow these steps to build an effective IT security policy.

Objective of an IT security policy

Some very small businesses will see the creation of an IT security policy as a waste of time. For most sole traders it is not necessary to create a formal policy as you are working by yourself and can be in control of your IT systems personally.

For small businesses that employ one or two staff members that use company IT equipment as part of their job, a security policy can act as useful protection against bad employee behaviour and will prevent claims by an employee that "they didn't know". The growth in social networking and online gambling sites is a problem for many employers as these sites can be a huge distraction for employees.

In some cases you may find your customers and/or suppliers demand that you have a security policy in place that they can review – especially if you may be formally linking into their IT systems.

The objective of the security policy is to:
  • Set the boundaries for employee use of IT.
  • Say what is deemed acceptable behaviour when using IT systems.
  • Explain processes and procedures that have been implemented to protect and manage IT systems.
  • Assign roles and responsibilities for staff so everyone knows their respective tasks.
  • Explain what will happen if the policy is ignored or deliberately breached.
IT security policy best practice

As a business owner you have certain legal responsibilities. The actual policy will vary from company to company, but here are some pointers.

State in your terms and conditions of employment that you expect data security discipline to be observed. You will also need to say that failure to observe security discipline will be treated as serious misconduct liable to summary dismissal.

You should consider making it clear that internet and email access for any purpose other than company business is a privilege that can be revoked at any time, and that you maintain the right to review and intercept internet and email use in order to ensure your company's policies are being observed.

Without these clauses in your employees' terms and conditions, you might find you have no right to check what people are up to. You should, of course, obtain legal advice for suitable wording.

In terms of a general security policy ensure good general behaviour by:
  • Banning access to unsavoury sites. This could include online auction, gambling and social networking sites. Tools and technologies are available to help you with this task if it is a significant problem.
  • Banning all sharing and downloading of copyright material such as songs, films and videos.
  • Letting people know their internet access is being monitored and activities will be reviewed. Again, there are tools to help you with this if you see it as a significant problem.
  • Telling people to protect their passwords and enforcing password changes every so often. There are tools to assist with this.
  • Clearly stating what will happen if anyone breaks any of these rules.
  • Ensuring emails have an automatic disclaimer about the content.
  • Stating how email communication is to be conducted,maybe using the 'letterhead' principal, in other words, everything that you write in an email is as binding as a letter on your official note paper.
  • Letting staff know your acceptable use of Instant Messaging, if you permit it at all.
It is also an idea to periodically check the policy to make sure it is keeping up with the latest innovations and technologies.

The cost of monitoring tools and software vary from £25 to £100 per PC. Setup is straightforward and the software can be downloaded from the internet, taking about 20 minutes to install and configure.

Here are a number of providers of internet and email usage monitoring software:
About the author
This article was taken from the Business IT Guide, a resource developed in collaboration with industry experts to help small businesses find the right IT solutions.
 
Source: Creating IT security policies


Related articles