In today’s digital age, technology plays a crucial role in almost every aspect of business. What’s more is that information security risk is consistently growing (often outpacing the professional world’s ability to keep up, especially for small businesses and nonprofits). One (often overlooked) way to help combat risk and set your organization up for success is to establish written corporate policies to ensure the proper use, management, and security of information and technology assets. Let’s dive into what corporate IT and infosec policies are, why they are important, and what policies your organization should have.
What are Written IT/IS Policies?
For the purposes of this article (and what you may read elsewhere), IT/IS stands for “Information Technology” and “Information Security.” Written IT/IS policies are formal documents that outline how information and technology assets are defined, leveraged, configured, and protected within an organization. These policies define guidelines and best practices for employees, contractors, and other users who interact with the organization’s technology infrastructure. Policies may cover a wide range of topics, including security, data backup, disaster recovery, acceptable use, and access control.
These policies are operational, not technical.
Why are Written IT/IS Policies Important?
Written IT/IS policies are essential for organizations of all sizes, as they provide a framework for managing information and technology assets in a consistent, secure, and efficient manner. Policies ensure that all users understand their roles and responsibilities in relation to technology, and provide a baseline for assessing compliance and enforcing consequences for policy violations. They also help to protect the organization from legal and reputational risks associated with data breaches, cyber attacks, and other security incidents.
Risk is a part of everyday life, from transportation and travel to business and financial decisions. The digital world is no exception. While information and technology have driven innovation and created new opportunities for businesses worldwide, they are not without peril.Information Systems Audit and Control Association (ISACA)
Policies inform technology professionals and employees how an organization wants their information and technology to work, theoretically, and can use those business requirements to make informed decisions on various things, such as what software apps a business should use, how they should be configured, and how end users should be trained in their use.
Not having them could be costing you! Cost of a data breach 2022 | IBM
Policies Your Organization Should Have
While the specific policies your organization needs may vary depending on your industry, size, and technology infrastructure, there are some basic policies that every organization should have in place. Here are some examples:
- Acceptable Use Policy – Defines what types of technology usage are allowed, prohibited, or restricted within the organization.
- Access Control Policy – Outlines how access to technology assets and data is granted, managed, and revoked. This policy is often broken down into other policies, such as Remote Access Policies or Password Policies.
- Data Backup and Recovery Policy – Defines how data is backed up, stored, and recovered in the event of a disaster or other incident. Occasionally, this will also be part of a larger Business Continuity Policy (which may cover things like business line of succession or what to do in the event of a natural disaster for business operations, not just technology and information systems).
- Information Security Policy – Outlines how technology assets and data are secured against threats such as malware, phishing, and other cyber attacks. Sometimes other policies may incorporate these considerations.
- Incident Response Policy – Defines how the organization responds to security incidents and data breaches, including notification, containment, and recovery procedures.
It’s not just for Large Enterprises
While written IT/IS policies may seem like something that only large enterprises need, the reality is that every organization can benefit from having them in place. Small businesses and nonprofit organizations may have fewer resources and a smaller technology infrastructure, but they are still vulnerable to security risks and compliance issues. By establishing clear policies and procedures for technology use, these organizations can better manage their assets and protect against threats.
With growing cyber threats, it’s more important than ever for all types of organizations to dedicate the time and resources necessary to properly establishing these policies and enforcing them operationally in order to mitigate risk.
Pitfalls and Common “Catch 22” Scenarios
Establishing written IT/IS policies is not easy. Beyond needing the operational (and technical) expertise to properly craft them, there are also pitfalls and common “catch 22” scenarios to navigate.
- Chicken or the egg: “Just configure it to be secure or best practices” is a pitfall and a myth. You will be setting up your IT as well as your own organization for failure. “Secure” and “best practices” are amorphous terms that often don’t mean anything specific. Since “secure” and “best practices” is subjective, you need an established framework to compare a potential configuration to. This also often creates a sort of “reverse policy” scenario where you wind up crafting policies to fit within the technology you already have rather than adapting technology to the requirements you want and need.
- Balancing security and usability: Another common challenge is balancing security requirements with usability needs. For example, if an organization requires complex passwords with frequent changes, users may be more likely to write down passwords or use easily guessed variations, which can compromise security. Conversely, an organization that is too sensitive to receiving timely emails may want to “Allow List” every email domain that an email filter triggers as a false positive, opening up their organization to extreme risk from phishers and scammers and defeating the purpose of having email threat protection to begin with. It’s not up to an IT person to decide what your risk appetite is an organization – executive leadership needs to define that, craft a written policy around it, and have the IT person configure the system in a way that complies with that policy.
- Keeping policies up-to-date: Something else that needs to be considered is keeping policies up-to-date with changing technology and business needs. As technology evolves, policies may need to be revised or updated to address new risks or opportunities. It can be difficult to keep up with these changes and ensure that policies remain relevant and effective. Ensure you have internal reviews of policies yearly or bi-yearly to ensure they are updated properly.
- Compliance with regulations: Many industries have specific regulations that govern the use and protection of technology assets and data. Organizations need to ensure that their policies comply with these regulations and that they have processes in place to monitor and report on compliance. Healthcare and Financial institutions are among the most common, but many states have consumer protection and identity protection laws that apply to a very wide range of organizations. Want to know one of the most common regulatory compliance requirements out there? Have established, written policies governing technology and information in your organization.
- Enforcement: Developing policies is one thing, but enforcing them is another. Organizations need to have processes in place to monitor compliance and enforce consequences for policy violations. This can be challenging, particularly if policies are complex or if users are not fully informed or trained on their requirements.
- Communicating policies to employees: Finally, organizations need to effectively communicate policies to employees and ensure that they understand their roles and responsibilities. This requires ongoing training and education, as well as clear and concise policy documentation that is easily accessible.
By considering these and other potential challenges, organizations can better develop and implement effective IT/IS policies that address their specific needs and goals.
Written IT/IS policies are critical for organizations of all sizes to manage their information and technology assets in a consistent, secure, and efficient manner. By establishing clear policies and procedures for technology use, information access, security, and recovery, organizations can protect against risks and ensure compliance with regulatory requirements. While creating policies may require some effort, upkeep, and resources, the benefits of doing so far outweigh the risks and costs of not having them in place.
If you feel in over your head and need help, reach out to a trusted technology partner or expert to help establish, write, occasionally review, and maintain these policies for you.