Why we changed this site: Click here to find out why the website changed.

Close
Created by e-skills uk

e-skills UK Guide

Creating IT security policies

Creating a policy to secure your business IT

The chances are that you have been busy writing business plans and have in place a great sales and marketing process. But one thing many small businesses forget to create is a policy that helps you secure the IT used in your business.

By implementing a policy you will have laid out clear lines of responsibilities and will ensure you and your team protect the reputation of your business.

If you follow these steps it should not take you long to build an effective IT security policy.

Objective of an IT security policy

Some very small businesses will see the creation of an IT security policy as a waste of time. For most sole traders it is not necessary to create a formal policy as you are working by yourself and can be in control of your IT systems personally. That said, there are still some tips that you will pick up from this project as they are important for all size of business.

For small businesses that employ one or two staff that use company IT equipment as part of their job a security policy can act as useful protection against bad employee behaviour and get over the claim by an employee that “they didn’t know”.

In some cases you may find your customers and/or suppliers demand that you have a security policy in place that they can review – especially if you may be formally linking into their IT systems.

The growth in social networking and online gambling sites is causing concern to many employers as these sites can be a huge distraction from day to day work. In addition access to certain sites may lead to compulsive behaviour that is beyond the remit or management skill of a small business owner.

The objective of the security policy is to:

  • Set the boundaries of employee use of IT.
  • Say what is deemed acceptable behaviour when using IT systems.
  • Explain processes and procedures that have been implemented to protect and manage IT systems.
  • Assign roles and responsibilities for staff so everyone knows their respective tasks.
  • Explain what will happen if the policy is ignored or deliberately breached.

IT security policy best practice

As a business owner and probably managing director you have certain legal responsibilities and expectations. Many of these are out side the scope of a Business IT Guide as they relate to the good management of a business but many related expectations can be laid out in your security policy.

The actual policy will vary from company to company, so all we can do is give you some pointers.

Consider including words in people’s terms and conditions of employment that make it clear that you expect data security discipline to be observed. You will also need to say that failure to observe those disciplines will be treated as serious misconduct liable to summary dismissal. That sounds heavy, but you need to ensure that you have the ultimate sanction for people that refuse to take IT security seriously.

You should also consider making it clear that internet and email access for any purpose other than strictly necessary for their job is a privilege that can be revoked at any time, and that you maintain the right to review and intercept internet and email use in order to ensure your company’s policies are being observed.

Without these protections in an employee’s terms and conditions you might find you have no right to check what people are up to. You should, of course, obtain legal advice for suitable wording.

In terms of a general security policy ensure good general behaviour by:

  • Banning access to unsavoury sites. This could include online auction, gambling and social networking sites. Tools and technologies are available to help you with this task if it is a significant problem.
  • Banning all sharing and downloading of copyright material such as songs, films and videos.
  • Letting people know their internet access is being monitored and activities will be reviewed. Again there are tools to help you with this if you see it as a significant problem.
  • Telling people to protect their passwords and enforcing password changes every so often. There are tools to assist with this.
  • Clearly stating what will happen if anyone breaks any of these rules.
  • Ensuring emails have an automatic disclaimer about the content.
  • Stating how email communication is to be conducted – maybe using the “letterhead” principal.
  • Everything that you write in an email is as binding as a letter on your official note paper.
  • Letting staff know your acceptable use of Instant Messaging, if you permit it at all.

It is important to consult with people over the security policy and explain why it is so important. After all it is everybody’s jobs and reputations on the line if someone transgresses. You will also need to make sure that all of your employment contracts refer back to the security policy so that you have a recourse if someone flouts the policy. It is also an idea to periodically check the policy to make sure it is keeping up with the latest innovations and technologies.

The cost of monitoring tools and software vary from £25 - £100 per PC. Setup is very straight forward and is often a download from a vendor's site, taking about 20 minutes to install and configure.

Here are a number of providers of internet and email usage monitoring software:

RESOURCEMONITOR 

WAVECREST 

SPECTORSOFT 

PEARLSW

Free security advice

Whether your business has been affected by crime or you are seeking preventative measures against crime, the Business Crime Reduction Centre (BCRC) is here to assist you, contact BCRC by:

Calling: 0114 275 1283
e-mailing: info@bcrc-uk.org
Visiting: http://www.bcrc-uk.org

Commercial suppliers

We do not recommend specific products or suppliers; instead we provide you with a representative sample which covers the range of suppliers/products available. You may choose to look at these suppliers or products but this is entirely at your discretion.

Rate This:
i
Bookmark this page:
DiggDigg
del.icio.usdel.icio.us
redditreddit
FacebookFacebook

What Now

floppySave this guide to your profile
printPrint this guide
pdfDownload the guide in PDF version *

* In order to print the guide or open it in PDF format, you will need to install Adobe Acrobat Reader.

Send to a friend

Friend's Name
Friend's Email
Submit

Credits

Close

You have:

0

Credits

For FREE UNLIMITED access:

Login to your account

Email:
Password:

Forgot your password?

Login
Not a member already?
Register Here
You don't want to login? Cancel
Quick Registration

Quick Registration

Get unlimited* access to guides, tips and facts, by becoming a FREE member.

Email:
Password:
Re-type Password:
First name:
Company name:
County:
Region:
Sign up for free site updates
REGISTER FREE
Already a member? Login Here
Don't want FREE access? No Thanks

Registration Benefits