There has been entirely too much press lately focused on the impact of IT security breaches. Ultimately you should revealuate your data security policy to see if it stacks up to industry standards so you won't be the next victim of this negative press. When formulating a data security policy it is important to look at all threats and to cover more than just the basics.
Among the most important elements to cover in a data security policy are:
1. Ensuring Data Security Accountability : A company needs to ensure that its IT staff as well as its general workforce and management are aware of their responsibilities and what is expected of them. The various types of data should be classed so that both workers and management understand the differences; classes should include:
- Confidential data
- Data that is meant to be sent internally within the company
- General data
- Data that is meant to be sent outside the company
By categorizing data, it is possible to make sure that workers are aware of how to handle each type and which types they are allowed to distribute.
2. Policies that Govern Network Services: This section of the data security policy dictates how the company is to handle issues such as remote access and the management and configuration of IP addresses. It also covers the security of components like routers and switches. This is where policies regarding the detection of network intrusion should be defined.
3. Scanning for Vulnerabilities : It is important to find any vulnerabilities in a company's IT infrastructure before hackers do. Since hackers will scan for vulnerabilities the minute they are discovered, a company should have a routine in place for checking its own networks regularly.
4. Managing Patches: Implementing code to eliminate vulnerabilities can help to protect against threats. How and when patches are to be implemented in the system should be a part of the data security policy.
5. System Data Security Policies: This part of the data security policy covers the security configuration of all of a company's essential servers and operating systems. It sets out rules regarding servers that run on the company's networks as well as the management of accounts and passwords. Firewall, database and antivirus policies also fall under this heading.
6. Physical Security of Data : This part of the data security policy covers the security of buildings, which includes key card readers and security cameras. The rules in this section should also deal with the handling of visitors and shipping/receiving. For data to truly be secure, it is important that the company's premises be secure as well.
7. The Response to Incidents : If a security breach occurs, it is important to have appropriate measures for handling it in place. This includes the evaluation and reporting of the incident as well as how to solve the problems leading to it.
8. Acceptable Use : Employees should be provided with precise definitions of what constitutes acceptable use. Additionally, it is a good idea to have them sign an acceptable use policy so that the company can pursue disciplinary action if necessary.
9. Training in Security Procedures: It is important to ensure that staff in charge of the company's security be kept up to date on the latest techniques.
10. Monitoring Compliance : The use of audits is a good way to ensure that the company’s staff and management are complying with the various elements of a data security policy. These should be performed regularly.
The data security policy should be reviewed at least twice a year to ensure that it is current. It should also be reviewed when changes to a company’s networks are made. And if you prefer to not think about this then you can always outsouce to experienced professionals who can do it for you.