Secure Florida offers...
- Security Alerts
- C-Safe Classes
- News and Info
create an account
Policies & Procedures
The first step in securing your network is to define how your company intends to manage and protect its information and resources. Such decisions depend upon things like the nature of your information and the cost of security. But regardless of your final decisions, your security practices should be written down and shared with all your employees.
Policies are the overall company attitudes and intentions. For example, “It is the policy of XYZ Company to back up our data nightly and store this backup at an offsite facility.”
Procedures, on the other hand, are step-by-step instructions, with the responsibility for each step carefully delineated.
(NOTE: Policies are top-level documents, and should be approved by the highest officer in the organization, such as the CEO or president. Because of this, they should be as broad as possible, so that they will seldom need changing. Keep your details to the procedure level, because those will likely require more frequent modification.)
Policies and procedures should be tailored to fit your specific environment, but should deal with such topics as:
- The level of privacy an employee can expect on a company computer
- Which employees have access to which systems
- Network practices
- What to do when you suspect an intrusion
- Steps to take when an employee leaves the company
Security policies and procedures should be documented, regularly enforced, and users should know their obligations for protecting the company’s network. Users include all who have authorized accounts on your systems. They can play a vital role in detecting signs of intrusion.
How do I get policies and procedures?
You can create your own policies and procedures, have them written for you by a consultant, or purchase them already written. There are several sources on the Internet that can help you. Here are a few....
- About.com: Human Resources
- The SANS Security Policy Project
- Security policy samples, templates and tools
- Information Security Policy Template (covers HIPAA concerns)
- Security Policy Template (handheld devices)
For Florida State Agencies
The Office of Information Security has developed several policy templates as guidelines for Florida agency security policies, including a recent Mobile Computing policy.