Policies & Procedures

The first step in securing your network is to define how your company intends to manage and protect its information and resources. Such decisions depend upon things like the nature of your information and the cost of security. But regardless of your final decisions, your security practices should be written down and shared with all your employees.

Policies are the overall company attitudes and intentions. For example, “It is the policy of XYZ Company to back up our data nightly and store this backup at an offsite facility.” Procedures, on the other hand, are step-by-step instructions, with the responsibility for each step carefully delineated.

Policies and procedures should be tailored to fit your specific environment, but should deal with such topics as:

• The level of privacy an employee can expect on a company computer
• Which employees have access to which systems
• Network practices
• What to do when you suspect an intrusion
• Steps to take when an employee leaves the company

Security policies and procedures should be documented, regularly enforced, and users should know their obligations for protecting the company’s network. Users include all who have authorized accounts on your systems. They can play a vital role in detecting signs of intrusion.

How do I get policies and procedures?

You can create your own policies and procedures, have them written for you by a consultant, or purchase them already written. There are several sources on the Internet that can help you:

Free information:

• About.com: Human Resources
• The SANS Security Policy Project

Paid services:

• Information Security Policy World

Good website on overall security considerations:

• CERT Tech Tips

A good essay on security practices:

• Best Current Practices in Security (in PDF format)