Back to all resources

How to create an IT security policy

The chances are that you have been busy writing business plans and have in place a great sales and marketing process. But one thing many small business owners forget to create is a policy that helps you secure the IT used in your business. Follow these steps to build an effective IT security policy.

Like this resource?

Become a member for access to more resources and benefits.

Learn more

By implementing a policy you will have laid out clear lines of responsibility and will ensure you and your team protect the reputation of your business.

Objective of an IT security policy

Some very small businesses will see the creation of an IT security policy as a waste of time. For most sole traders it is not necessary to create a formal policy as you are working by yourself and can be in control of your IT systems personally. For small businesses that employ one or two staff members that use company IT equipment as part of their job, a security policy can act as useful protection against bad employee behaviour and will prevent claims by an employee that "they didn't know".

The growth in social networking and online gambling sites is a problem for many employers as these sites can be a huge distraction for employees. In some cases you may find your customers and/or suppliers demand that you have a security policy in place that they can review – especially if you may be formally linking into their IT systems.

The objective of the security policy is to:

  • Set the boundaries for employee use of IT
  • Say what is deemed acceptable behaviour when using IT systems
  • Explain processes and procedures that have been implemented to protect and manage IT systems
  • Assign roles and responsibilities for staff so everyone knows their respective tasks
  • Explain what will happen if the policy is ignored or deliberately breached.

IT security policy best practice

The actual policy will vary from company to company, but here are some pointers.

State in your terms and conditions of employment that you expect data security discipline to be observed. You will also need to say that failure to observe security discipline will be treated as serious misconduct liable to summary dismissal.

You should consider making it clear that internet and email access for any purpose other than company business is a privilege that can be revoked at any time, and that you maintain the right to review and intercept internet and email use in order to ensure your company's policies are being observed.

Without these clauses in your employees' terms and conditions, you might find you have no right to check what people are up to. You should, of course, obtain legal advice for suitable wording.

In terms of a general security policy ensure good general behaviour by:

  • Banning access to unsavoury sites. This could include online auction, gambling and social networking sites. Tools and technologies are available to help you with this task if it is a significant problem.
  • Banning all sharing and downloading of copyright material such as songs, films and videos.
  • Letting people know their internet access is being monitored and activities will be reviewed. Again, there are tools to help you with this if you see it as a significant problem.
  • Telling people to protect their passwords and enforcing password changes every so often.
  • Clearly stating what will happen if anyone breaks any of these rules.
  • Ensuring emails have an automatic disclaimer about the content, stating how email communication is to be conducted, maybe using the 'letterhead' principal, in other words, everything that you write in an email is as binding as a letter on your official note paper.
  • Letting staff know your acceptable use of instant messaging, if you permit it at all.

It is also an idea to periodically check the policy to make sure it is keeping up with the latest innovations and technologies.

These are just a few of the ways in which you can protect your business. For more comprehensive support get 3 months' free access to an online risk management system with Forum membership. This includes checklists and sample policies, including an IT policy, to make sure your business is protected and complies with relevant legislation. For more information, or to find out how we can help protect your business with discounted cyber insurance, call us now on 0845 130 1722.