By Jo Blitz Escotal
CEO
Escotal.com
Today’s heightened awareness and the need to secure IT infrastructures and protect mission critical data is leading more and more companies to reevaluate their security practices. An IT Security Policy should be in place to make sure your company has a standardize framework and checklist on what is your organizations best security practice.
Here is a Basic Security Policy Template that any Organization should have in place.
1. POLICY: Has management provided the necessary leadership and reduced liability by issuing comprehensive information security policies, operating procedures, and associated responsibility statements?
Do you a Security Policy in place. Do you an AUP Acceptable User Policy in place. Do you have a Social Media Policy in place these are just of the basics of setting up policies.
2. EMPLOYEE ACKNOWLEDGEMENT: Are all employees and contractors required to provide written acknowledgement of their understanding and acceptance of the organization’s information security policies?
3. CONFIDENTIALITY AGREEMENTS: Has the execution of properly signed confidentiality agreements been verified before proprietary and/or sensitive information is disclosed, in any form, to individuals outside the organization?
4. PHYSICAL SECURITY: Are there comprehensive business security systems in place to deter any and all criminal activity as well as keep all company resources secure? Are buildings, paper records, and sensitive IT resources (e.g., computer and network equipment, storage media, and wiring closets) properly secured from unauthorized access, tampering, damage, and/or theft by an intruder with malicious intent? Do you have on-site guards who can respond quickly if the security alarm goes off or intrusion takes place? You can also provide wireless communication devices to guards to contact each other if any issue arises in office premises during non-operational hours (click here to know more).
5. RESPONSE PLAN: Does the organization have a documented and frequently tested business resumption plan for critical computer system and associated office support infrastructure that includes frequent system backups, off-site data backup storage, emergency notification, replacement IT and office resources, alternate facilities, and detailed recovery procedures?
6. DETECTION: Are all
computer systems protected with up-to-date Intrusion Detection Systems, Alert
systems and other defenses against malicious software attacks?
7. TECHNICAL SECURITY: Are all
dedicated connections to the Internet and other external networks properly
documented, authorized, and protected by Anti-virus, Firewalls, Proxies, IPS, Virtual
private networks (or other forms of encrypted communication,) and incident
response capability?
8. REMOTE ACCESS: Are modem and
wireless access point connections known, authorized, and properly secured
connections such as PPP, PPPoE, VPN, ICA, VNC, RADIUS, SSH and TACACS?
9. PASSWORDS: Have all
vendor-supplied, default passwords or similar “published” access
codes for all installed operating systems, database management systems, network
devices, application packages, and any other commercially produced IT products
been changed or disabled? For existing access systems, has MFA (multi-factor authentication) been enabled?
10. SOFTWARE PATCHES: Are
security-sensitive software patches, including the removal of unnecessary
sample application software, promptly applied to systems that are accessible to
users outside of the organization?
11. DATA PROTECTION: Is sensitive,
valuable information properly protected from unauthorized access, and are data
properly encrypted? If not, you might need the help of a data security team (look at IT Management services ne if interested) that can protect your business from potential cyber-attacks that can corrupt and steal your sensitive data. IT teams tend to be ready all the time and they can react quickly and resist future incidents.
12. AUDITS AND VULNERABILITY TESTING: Are all computers and network devices (e.g., routers, and switches) within your organization regularly tested for exploitable vulnerabilities and any unauthorized (or illegally copied!) software?
13. BIOMETRICS: Fingerprint, Face Recognition etc…
14. MONITORING and PROCEDURAL SECURITY: Group and User policies
15. EDUCATION and TRANING AWARENESS: Train Employees in Social Engineering Techniques
A negative or unsure response to one or more of the above questions places an
organization in a position of unnecessary risk, not only to heightened
possibility of direct financial loss and/or public embarrassment by a security
incident, but also the loss of confidence and creditability in the
organization.