By Jo Blitz Escotal
CEO
Escotal.com
Today’s heightened awareness and the need to secure IT infrastructures and protect mission critical data is leading more and more companies to reevaluate their security practices. An IT Security Policy should be in place to make sure your company has a standardize framework and checklist on what is your organizations best security practice.
Here is a Basic Security Policy Template that any Organization should have in place.
1. POLICY: Has management provided the necessary leadership and reduced liability by issuing comprehensive information security policies, operating procedures, and associated responsibility statements?
Do you a Security Policy in place. Do you an AUP Acceptable User Policy in place. Do you have a Social Media Policy in place these are just of the basics of setting up policies.
2. EMPLOYEE ACKNOWLEDGEMENT: Are all employees and contractors required to provide written acknowledgement of their understanding and acceptance of the organization’s information security policies?
3. CONFIDENTIALITY AGREEMENTS: Has the execution of properly signed confidentiality agreements been verified before proprietary and/or sensitive information is disclosed, in any form, to individuals outside the organization?
4. PHYSICAL SECURITY: Are buildings, paper records, and sensitive IT resources (e.g., computer and network equipment, storage media, and wiring closets) within them properly secured from unauthorized access, tampering, damage, and/or theft by an intruder with malicious intent?
5. RESPONSE PLAN: Does the organization have a documented and frequently tested business resumption plan for critical computer system and associated office support infrastructure that includes frequent system backups, off-site data backup storage, emergency notification, replacement IT and office resources, alternate facilities, and detailed recovery procedures?
6. DETECTION: Are all
computer systems protected with up-to-date Intrusion Detection Systems, Alert
systems and other defenses against malicious software attacks?
7. TECHNICAL SECURITY: Are all
dedicated connections to the Internet and other external networks properly
documented, authorized, and protected by Anti-virus, Firewalls, Proxies, IPS, Virtual
private networks (or other forms of encrypted communication,) and incident
response capability?
8. REMOTE ACCESS: Are modem and
wireless access point connections known, authorized, and properly secured
connections such as PPP, PPPoE, VPN, ICA, VNC, RADIUS, SSH and TACACS?
9. PASSWORDS: Have all
vendor-supplied, default passwords or similar “published” access
codes for all installed operating systems, database management systems, network
devices, application packages, and any other commercially produced IT products
been changed or disabled?
10. SOFTWARE PATCHES: Are
security-sensitive software patches, including the removal of unnecessary
sample application software, promptly applied to systems that are accessible to
users outside of the organization?
11. DATA PROTECTION: Is sensitive,
valuable information properly protected from unauthorized access, and are data
properly encrypted?
12. AUDITS AND VULNERABILITY TESTING: Are all computers and network devices (e.g., routers, and switches) within your organization regularly tested for exploitable vulnerabilities and any unauthorized (or illegally copied!) software?
13. BIOMETRICS: Fingerprint, Face Recognition etc…
14. MONITORING and PROCEDURAL SECURITY: Group and User policies
15. EDUCATION and TRANING AWARENESS: Train Employees in Social Engineering Techniques
A negative or unsure response to one or more of the above questions places an
organization in a position of unnecessary risk, not only to heightened
possibility of direct financial loss and/or public embarrassment by a security
incident, but also the loss of confidence and creditability in the
organization.