Written security policies are essential to a secure organization. Everyone in a company needs to understand the importance of the role they play in maintaining security. One way to accomplish this – to create a “security culture” – is to publish reasonable security policies. These security policies are documents that everyone in the organization should read and sign when they come on board. In the case of existing employees, the policies should be distributed, explained and – after adequate time for questions and discussions – signed.
This article will introduce you to seven security policies that every organization should consider adopting. The specific policies that you implement, as well as the amount of detail they contain, will change as a company grows. Certainly, an organization with two employees has different security concerns than an organization of thousands. This list addresses both physical and information security issues, and is meant to provide a starting point for assessing your particular security needs, when establishing your security policy.
Below are some guidelines that a business should be thinking of using when they are looking to set up any kinds of policies in relation to the use of the internet during business hours.
General Internet Usage:
- Internet usage is intended for job-related activities. Occasional brief personal use is allowed within reasonable limits
- The Company reserves the right to monitor internet traffic and retrieve any data that is composed, transmitted, or received and, as such, is subject to disclosure to law enforcement or other third parties
- Team members cannot pirate software, or download/copy software without authorization
- Team members should always ensure that the business information contained in internet email messages and transmissions is accurate, appropriate, ethical, and lawful
However if you are a company that is allowing all their employees to have access to the internet then rules and regulations must be in place that will restrict the amount of time that they use it for their own personal use. So therefore when writing up any kind of company internet usage policy document it should clearly shown within it when employees are entitled to use the internet for personal searches and when for company work. To ensure that your employees are sticking to the guidelines provided then a good quality tracking software program should be installed. This will then help you to track when and what your employees are using the internet for. However again employees must be made aware that their use of the internet is being tracked.
What kind of subjects should you cover in the email section of your security policies? Here is a list of ten points to include:
- Email risks: The policy should list email risks to make users aware of the potential harmful effects of their actions. Advise users that sending an email is like sending a postcard: if you don’t want it posted on a bulletin board, then don’t send it.
- Best practices: This should include email etiquette and writing rules in order to uphold the good reputation of the company and to deliver quality customer service. For instance, include 6 etiquette rules:
- Do not write emails in capitals,
- Enable spell checking,
- Read the email before you send it,
- Include a signature that conforms to company format,
- Use proper grammar and punctuation,
- Include instructions on compressing attachments to save bandwidth.
- Personal usage: The policy should state whether personal emails are accepted and if so, to what extent. You can for instance set limits on the times of day that personal emails can be sent (only during breaks), or you could require personal emails to be saved in a separate folder. In addition, state that employees are prohibited from sending or receiving certain email attachments, such as exe, mp3 or vbs files. You could also include a maximum file size for attachments sent via email.
- Wastage of resources: Warn users that they are making use of the company’s email system and that they should not engage in non-business activities that unnecessarily tie up network traffic. The policy must also cover the use of newsletters & newsgroups. For instance you can state that employees may only subscribe to a newsletter or newsgroup if this directly relates to their job.
- Prohibited content: The policy should expressly state that the email system is not to be used for the creation or distribution of any offensive, or disruptive messages, including messages containing offensive comments about race, gender, age, sexual orientation, pornography, religious or political beliefs, national origin or disability. State that employees who receive any emails with this content should report the matter to their supervisor immediately. Moreover, employees should not use email to discuss competitors, potential acquisitions or mergers or to give their opinion about another firm. Unlawful messages, such as copyright infringing emails should also be prohibited.
- Document retention policy: Include information on whether or not email will be archived and for how long. If your organization is required to archive email messages, state that all emails will be archived and include the number of years that the records will be kept. If you are not required to archive your emails, notify your users about whether they can or should delete emails after a number of months or years.
- Treatment of confidential data: Include rules and guidelines on how employees should deal with your company’s confidential information and trade secrets. They should also be aware that they should not forward any confidential messages or attachments from other companies without permission. Make employees encrypt any confidential information that is sent via email and change passwords regularly.
- Email disclaimer: If you are adding a disclaimer to employees’ emails, you should inform them of this and state the disclaimer text that is added.
- Email monitoring: If you are going to monitor your employees’ emails, you must state this in your email policy. Warn that employees should have no expectation of privacy in anything they create, store, send or receive on the company’s computer system and that the company may, but is not obliged to monitor messages without prior notice. If you do not mention that the company is not obliged to monitor messages, an employee could potentially sue the company for failing to block a particular message.
- Measures & violation reporting: Warn that if an employee is found to be in breach of the email policy rules, this could result in disciplinary action, up to and including termination. If an employee witnesses email policy abuse they are required to report the incident immediately. Include contact details of who to contact if a violation of the policy rules is detected. This could be a supervisor but it might also be a good idea to appoint a specific contact person to report email policy breaches to.
While you might not have a large staff now, it is a good idea to put an online networking policy into your security policies as soon as possible. Make sure that everyone is aware of the social networking policy when they are first hired. Here are some things to consider when you are coming up with the social media policy for your company.
Social Media Presence:
- Remember to act respectfully at all times when interacting on social media platforms
- Confidential company information should be kept off social media
- Team members should follow company guidelines for how to talk about products (or services) to keep with brand image
- Should team members see negative content regarding the company on social media, they are to follow the set engagement procedures in order to react properly
- Be sure to create a secure password and avoid default privacy and security settings for personal social media pages
- What your employees are allowed to say about the company.
- I am not suggesting that you totally censor your employees. However, you do have a certain public image to uphold. You have to decide early on what you are going to allow your employees to say about the company on social networking sites. This is definitely something that needs to be outlined in the handbook you create about your company’s social media policy.
- Is there a particular point person to send media requests to?
- Your employees may run into members of the media while they are networking. The journalist may want to ask them some questions about your company. You have to decide if you want your employees to be able to answer those types of questions themselves or if you want one employee to be the designated spokesperson for the company. Whatever you decide, make sure to communicate this to all staff so there is no confusion.
- What employees are allowed to post on online networking sites.
- Once again this is a matter of protecting your company image. Your employees are a representative of you. You need to figure out what kind of information you want your employees to post on social media. Are they allowed to reveal your company name on their personal profiles? Can they post pictures of themselves at work? Is it okay for them to post pictures of themselves drinking alcohol? These might seem trivial, but it is important to let your employees know beforehand what they can post rather than trying to discipline them when they cause bad publicity for the company.
Having a social media policy is important for you and your employees. It helps your employees to know exactly what they can and can’t do with their social media profiles. It could also protect you from future lawsuits since the policy will be spelled out in black and white. Now stop reading this article and create a social media policy for your company.
You need to have an access control procedure, not just for visitors, venders, and guests, but also for employees, as not every employee needs access to every area. Ask these questions when developing an access control procedure for your security policies:
- Do they have a need to be there? If an employee’s job does not require them to be in an area, clearly state that area is off limits, or set a physical control like key or electronic access to ensure it is enforced.
- Will they need to be there escorted? A good rule of thumb is to clearly state areas like an HR office are restricted access, and only select personnel are authorized access unless escorted by select personnel, other offices and areas may need the same type of policy.
Mobile Device Security
When you issue company business mobiles you are faced with many pros and cons, one of which is convenience and productivity while the other drawback is how to restrain mobile phone use as you keep your company liabilities at a minimum.
Here are some ways you can create security policies with respect to the use of company issued handsets:
Dispel privacy breach concerns with your company issued mobile phones. Make it a point to inform your employees that they do not have to fear their privacy being breached with the issuance of company mobiles. By doing this, you eliminate the probability of other problems or lawsuits from arising in the workplace.
Be sure that you own the phone numbers issued. It is very vital that you keep ownership of the phone numbers. You have to be clear with this in your policy. It is because you want to limit the likelihood of a leaving employee from further soliciting or doing business with your customers once they are gone.
Check monthly charges from time to time. The moment your employees know that their bills are being checked on a regular basis, they are less likely to incur unexplained surcharges or other unnecessary charges like for instance the purchase of unauthorized 3rd party content such as apps, ring tones, or even mobile games.
Report lost or damaged devices as soon as possible. The instant a company mobile device has been lost, damaged, or stolen, tell employees to report them immediately so all related services will be turned off the soonest time possible. There are some mobile apps that enable users to remotely track a mobile phone’s SIM card and delete all private data once lost or stolen. Expressly indicate who will shoulder the costs in case of loss or damaged business mobile phones. If it’s the employee who will have to bear the financial burden, then by all means let them know and have them sign up an acknowledgement agreement to that effect.
Inform them about GPS tracking. There are several mobile phones out there that come with software that does not only allow GPS navigation but also tracks the bearer. You have to expressly let them know that their business mobiles will come with a GPS tracking feature. Businesses in the field of logistics highly benefit from this practice.
Visitor Management and Safety
An unauthorized or unescorted visitor can be a physical threat and can also steal sensitive information. If possible, steer all visitors into a controlled entry point, be it a gate or receptionist’s desk. When writing your policy, decide whether visitors should be escorted at all times, or only in certain areas. Requiring visitors to wear a badge and sign in and out should also be considered. If your visitor management policy is communicated clearly, employees can more easily serve as your eyes and ears as they will feel more comfortable approaching or reporting a suspicious individual.
It would be wise then to craft a safety policy for visitors along the same lines as employers do for workplaces.
1 – Visitors must be notified of any hazards they might encounter.
2 – They must be made aware of all protocols and procedures in the event of an emergency.
3 – All visitors must sign-in and sign-out of your facility.
4 – Similar to all workplaces, must be provided with the appropriate personal protective equipment (PPE) and on its use and reason for it.
5 – Care must be taken to ensure proper fit and use of the PPE.
6 – Visitors must be oriented properly and advised on the basics of behavior during the visit.
What is a Nondisclosure Agreement?
Fortunately, the United States legal system has several safeguards to protect intellectual property rights. One of these is the nondisclosure agreement (NDA), also known as a “confidentiality agreement.” This is a signed agreement between two or more parties which states they will keep confidential specific information shared during their business relationship, or in the course of a transaction. In the business world, an idea, formula, or process can be a company’s most important asset. The NDA ensures that a company or individual retains exclusive rights to their intellectual property. When you hire a company to manufacture your plush toy, an NDA gives you the assurance that your ideas (and profits) remain yours and legal recourse if it does not.
Types of NDA
There are two kinds of NDA. With a one-way NDA, only one of the parties is disclosing information. If you are hiring a company to produce your plush toy, but that company will not be sharing proprietary information (such as a secret method of stitching) with you, you may only need a one-way NDA. A mutual NDA is necessary when everyone involved in the process is sharing private information. If you sell a new manufacturing process to a soft drink company which shares a secret formula with you, you’ll both want a mutual nondisclosure agreement.
Contents of an NDA
A good NDA contains:
o Definitions of the shared information. For example, yours might include “the design for Skippy the Cat,” without describing the confidential information itself.
o Exclusions. Not all information needs to be confidential. This protects the recipient, in the event that it possesses or discovers information independently of its relationship with you.
o Recipient’s Responsibilities. Shared secret information must remain secret. Neither party can share it or use devious ways to steal it.
o Time Limit. Although you might want your idea to remain secret forever, this is not always going to be the case.
o Miscellaneous Clauses. These are various legal details, such as how a breach will be handled, who will pay attorney fees in the event of a lawsuit, etc.
BONUS: Workstation Security
- Ensure monitors are positioned away from public view
- Use screen privacy filters for added security (especially in open floorplan offices)
- Always lock computer (and protect with a password) when stepping away from your desk
- Log off workstation at the end of each business day
- Keep food and drink away from your workstation at all times
- When taking your laptop or other company owned devices out of the office, be sure to keep them in your trunk
and out of plain sight
- Only approved personnel may install software on workstations
- All sensitive information must be stored on network servers and not the workstation itself
- Follow all authentication and password management requirements
One key to creating effective policies is to make sure that they are clear, and as easy to comply with as possible. Policies that are overly complicated only encourage people to bypass the system. Don’t make employees feel like inmates. Communicate the need, and you can create a culture of security.
There is always a trade-off between security and convenience. You would like to board a plane without going through the TSA checkpoint, right? But how comfortable would you be knowing that no one else on the plane had gone through security either? The policies described in this article will help to ensure that you and your employees are protected.
For help in developing security policies to protect your organization and its employees, Contact me, I am available for assist you in your security policy development, or any other security needs you may have..