IT Security Policy: A Must Have

Apr 11, 2012 | Security

I know we all feel that we do our best when it comes to securing both the physical and tangible assets of our businesses. Most companies feel that by simply locking doors, controlling who has keys and alarm codes, changing passwords, and engaging in other basic security measures they are doing their best to protect the business. I am not a physical security officer, or loss prevention specialist, but I do know about “
basic” IT policy and how it can help your business protect its “information” assets.

So here are the questions of the day: Does your company have an enforceable IT security policy? Who is directly responsible for the management and enforcement of this policy? How often is this policy reviewed and updated?

These are all very serious questions that every business must answer. In a lot of cases the “information” businesses possess is one of their most valuable assets.

Password Change Policy – The simplest form of security

End users need to keep their passwords secure, updated frequently (minimum 90 days), and have some form of complexity (minimum characters, upper/lower case, numbers, and symbols). Be vigilant about letting end users know not to share their password, or provide it to anyone for use on their behalf. You never know if a person that has been let go from your company can login remotely under another end user’s identity and access data. Be vigilant!

Remote Access Policy 

It’s a mobile world and we want to ensure our teams have the ability to work remotely. However, we need to ensure that the data is secured and that you are aware of exactly what is being accessed. Our first recommendation is Terminal Services/Citrix, which simply gives you the ability to limit access to data from the server and prevent end users from pulling data locally to their remote device. If this is not a feasible option then Axxys recommends using an SSL VPN connection that can integrate with Windows Active directory. This will allow end users to move data from the servers to their local PC/Laptop. Be sure you know exactly who has access remotely, what they have access to, and ensure that they are vigilant about protecting their credentials.Your information is leaving the confines of your business!

Remote Wipe Capabilities for All Mobile Devices (iPads included) 

Make sure that your IT administrators fully understand how to remotely wipe a mobile device if you are using Exchange 2007/2010, it can come in handy in the event they lose their device. Let’s face it, end users have their email, contacts, and calendar on their mobile devices. It helps make them more efficient. However, you need to ensure that in the event these devices are lost, or stolen, that they have the ability to be “wiped” of any sensitive information as to not compromise your clients, your client list or your company security. Also be sure you have control over who can have access to email, contacts, and calendars from their mobile device. You need to know who has this and why. Sometimes the answer is simple, but some end users simply do not need it and Axxys would strongly encourage you to evaluate the situation.

These are three very basic security “headings” to start your IT Security Policy Manual. Axxys has a very detailed and thorough policy to protect our client data and we are ready to work with you on creating such a policy. We realize this creates more work for HR but this information is critical. We spend a lot of money every month to ensure information is backed up, and now it is time to be vigilant about making sure we are doing everything to protect one of your most critical assets: YOUR DATA.


Recent Posts

Use Cases for Co-Managed IT Services

Use Cases for Co-Managed IT Services

Meeting the IT needs of a business using internal resources can be difficult and expensive. Meanwhile, outsourcing IT services may prompt questions about control and security. One of the ways the market has evolved is through Co-Managed IT Services, which provide a...

The Tempo of Cybersecurity

The Tempo of Cybersecurity

You are probably thinking to yourself, “oh great, another cybersecurity article”. I feel the same way sometimes, that I’ve become numb to the statistics, and I just want to go back to a time when we didn’t have to consider unscrupulous threat actors trying to take...

Co-Managed IT is NOT the Same as Managed IT

Co-Managed IT is NOT the Same as Managed IT

All too often, small business owners try to decide about IT investments without a complete understanding of the options available. One place where this confusion often shows up is when trying to understand the difference between co-managed IT services and managed IT...