It's important for businesses of all sizes to define a structure for technology policies and other practices that allow users to work within a pre-defined set of parameters. While few employees are happy about the thought of more policies and procedures, they are necessary for the safety of your organization. IT cybersecurity policies are a way to alert your business and technology users of the potential harm that could come to the organization from not following acceptable guidelines. They also provide a way to clearly define workflows and responsibilities, which can save time and frustration all around. A few of the policies that are important for businesses of all sizes include an Acceptable Use Policy, mobile or tablet policies, backup and disaster recovery roadmap, password policy and security standards. Defining these policies empower the IT department to act within the set parameters that may detail standard service configuration, enforcement of policies and standards and their penalties, recipients of IT services and timing.
Acceptable Use Policy
The term "Acceptable Use Policy", or AUP, refers to respecting the rights of other users, contractual agreements and pertinent licenses. In real terms, this means that individuals using your technology -- whether they're employees, students or customers -- are abiding by the terms that you have set for the use of the resources. These rules are generally enforced by the network administrator or owner of the online service, network or website, in an effort to reduce the potential for legal action from the unseemly use of information assets. While similar to the more familiar Terms of Service or End-user License Agreements, an AUP covers a broader group of computing resources such as a LAN or website, and stress respect for fellow users and etiquette between individuals.
An AUP allows network owners and administrators to provide a strict set of guidelines to anyone utilizing their system resources. The rules can include a variety of topics, including:
- Controlling how specific software is used, such as restricting use of personal email
- Blocking of specific gaming websites that slow down overall network traffic
- Managing passwords, and setting rules around password validity
- Defining acceptable use and ownership of intellectual property
It's important that an AUP be concise and clear, so there can be no argument of confusion by users. Having an adequate AUP in place is a critical point of potential failure for system security that defines what users are and are not allowed to do with an organization's IT systems. Even small organizations can find themselves in legal trouble due to the actions of an individual utilizing their resources.
In many cases, an employee, student or customer is not intending to cause harm to the organization and may simply be unaware of the broader impact of their actions. A great example is the usage of audio and video files. When employees store their MP3s on your network drive, not only are they taking up valuable storage space, but sharing these files with others can be considered copyright infringement. MP3s, their associated files and videos all tend to be relatively large files, which can also cause a drain on your backups or require scarce time from your technical team to restore files that are accidentally lost or moved. When Acceptable Use Policies are clearly defined and enforced, you're one step closer to protecting your organization's assets.
Mobile and Tablet Policy
Corporate mobile policy, also known as BYOD (Bring Your Own Device) is a growing concern for many organizations. Employees today want to have their work and personal content available at all times, and that often requires having some type of mobile device or tablet. While an employee who prefers to purchase their own mobile phone or tablet instead of wanting your organization to purchase one sounds like a great idea, keep in mind that these devices may be tied into a corporate internet or intranet -- something that raises red flags for many IT security professionals. Manage the risks by taking these steps:
- Survey your team: Find out exactly what type of mobile devices your employees, students or customers need to use and how they will be used. For instance, mobile devices that are only used to access email are much less dangerous to your corporate security than those who want direct access to a server on their tablet. Gathering requirements first allows you to make good decisions on a broader scale.
- Discuss support levels: Different classes of users will have different needs. Some individuals, such as an IT team member, will have more invasive needs for their personal mobile devices so it makes sense to put them in a class of their own. Grouping users by needs or by potential support needs are good ways to simplify your overall administration of a mobile policy.
- Maintain isolation for organizational data: If an employee suddenly leaves the organization, you would generally collect their computer if it was provided to them. However, what if the employee purchased their own mobile device or tablet, and it has sensitive corporate data stores on the device? You always need a plan that allows you to remotely wipe sensitive information from an employee-owned device.
- Selective services: Certain highly-regulated industries such as healthcare, financial services or public sector businesses may need to define additional safeguards. Blocking features with explicit content, enabling encryptions and tightening password requirements may help your organization live up to required regulatory policies and still allow employees to BYOD.
- Define and Enforce: It's not enough to simply set the policy, you have to visibly enforce it. Define ramifications upfront should employees fail to follow corporate policies in regards to their personal devices. Revisit the policy on a regular basis, perhaps annually, to ensure that no material changes are needed. Clearly communicate policy changes to all who are affected.
Creating a mobile policy that also covers tablets and other small electronics provides your employees the freedom to work when and how they need to, while also offering business owners and IT leaders the peace of mind knowing that corporate systems and data are safe. When you outline specifics around support, you're also potentially freeing up valuable tech support time troubleshooting issues that are outside the scope of accepted corporate use.
Backup and Disaster Recovery Policy
Discovering that your systems have been compromised or lost can be a scary, pit-of-the-stomach-drop feeling for business owners and technology professionals. Knowing that you have lost access, even for a short period of time, to the critical data, applications and operations required to run your business requires you to rethink everything you know about modern business while you scramble to support employees and service customers or students. Everything from natural disasters to hackers and human error cause problems with systems, and without a solid backup and disaster recovery policy in place it could take weeks to restore data. A solid plan to restore your data and systems is the best insurance against errors, hacking and disaster that you can find.
Nearly 10 percent of all small businesses are affected by some sort of man-made data disaster, while a whopping 30 percent are affected by natural disasters from fire, flood and even unexpected power outages. What's even more frightening is that, according to an NFIB National Small Business Poll, only 6 percent of those businesses affected were able to survive after a catastrophic data loss. Here are several additional reasons why it's important to take the time to create a disaster recovery and backup policy:
- Humans aren't perfect, so mistakes can and will happen. It might be a bit depressing to consider it, but a staff member's ill-timed but well-meaning keystrokes can take down an organization in minutes. Whether this is someone on the IT team who forgot to log a particular backup file or an incautious user, incremental online data backups and a clear, written disaster recovery plan can mean the difference between down for a few hours or a few weeks. Prevent these instances through structured quality assurance activities and ongoing process improvements to tighten systems access.
- Technology fails, period. The simplest instance of a tech fail is internet connectivity, but widespread hardware failures can be catastrophic. Without a disaster recovery plan in place, you and your team may be stuck attempting to reconfigure new machines before attempting to transfer or rebuild customer files and other important data. Regular backups to the cloud may help get you back up and running quickly. If fully outsourcing your data and infrastructure needs to a third party data center isn't a possibility, at least invest in a solid incremental, cloud-based backup process.
- Customers are needy at all hours. Customers really don't care that someone erased the only server with their details on it -- the reality is that they want access to their details and information right now. Our 24/7 economy has spoiled our customers and left them expecting always-on service and perfection in every interaction. If your organization isn't able to live up to their standards, a competitor is only a click away. As painful and expensive as it is to acquire customers, it can be nearly impossible to win them back after a major data breach or unexplained access loss.
When you develop a solid disaster recovery and backup strategy, you're not only saving your organization money but you're also ensuring that your team can continuously provide the high levels of customer services that are expected from a trusted organization.
When employees, students or other constituents fail to abide by security policies, the consequences should be clearly defined and applied to all individuals regardless of position. Security policies and password policies protect your organization's data from loss or theft and that can only be done through the support of business and technology users alike. Items that you might want to secure include intellectual property such as patents, customer data, product catalogs and pricing as well as confidential customer information such as contact information, personal payment methods and personally identifiable information such as social security numbers, addresses and date of birth. Source code, patent applications and drawings are also potential sources of data loss that may not harm your organization, except to allow your competitors to catch and potentially even leapfrog your current applications.
The loss of secure customer data can be devastating on a variety of levels. The three-pronged approach to data security is through
"Confidentiality", "Integrity" and "Availability"; however, when any of these fail it can results in loss of goodwill from your customers, business losses and even legal liability. When you take the steps to mitigate risk, you're stating in a reportable way that you're actively protecting the assets of your organization. Even if your security program should fail, having a written list of security standards may help protect you in the case of litigation. There are certain standards that have been recognized for success, including:
- A risk assessment that identifies the risk potential and then quantifies them so you can provide a cost-effective and appropriate way to manage them. Some standard components include rules around data in transit both within and outside your organization and when to share data with third-party programmers or contractors. Internal corruption of the data also occurs.
- A designated security officer coordinates and evaluates the overall efficacy of the program, including testing and quality assurance. Raising awareness within the organization of the reasoning behind the organizational shift towards a broader security structure can win allies, or at least those who don't hate and misunderstand that these laws are meant to protect employees, customers, students and managers.
- Don't overlook the human factor when designing systems, or the limitations will quickly become apparent when a new system is launched. Ensure that all users have the proper training on systems, and understand the philosophy behind the direction. If employees are on board with the core functionality of your organizations' security policies and understand the consequences to the business should they be ignored, it will be that much more likely that people will conform to what the overall requirements and needs of the organization.
- Audit and regulatory compliance can be particularly strict if you're dealing with eCommerce or other highly structured transactions. Great examples are HIPAA for patient information in the healthcare industry, PCI Compliance (credit card processing) and additional regulations for corporate financial management as well as government agencies or contractors.
Even with all of these components, your security plan is never truly "done". As soon as you have everything nailed down and exactly the way you want it then is the time to start thinking about an update schedule. However, when you maintain a disaster recovery plan, mobile and tablet policies as well as a mobile and tablet policy you'll find that users naturally gravitate towards reasonable recommendations. Protect your overall system security with these simple document and educate your users.
http://www.onlinetech.com/resources/references/top-5-reasons-why-your-it-disaster-recovery-plan-should-be-a-top-priority http://www.ironmountain.com/Knowledge-Center/Reference-Library/View-by-Document-Type/General-Articles/T/The-Importance-of-a-Disaster-Recovery-Plan.aspx http://www.qtsdatacenters.com/resources/blog/2013/12/21/four-reasons-why-you-need-a-backup-and-disaster-recovery-plan