IT Security Best Practices: Planning & Policies

In the first blog post of this series, I focused on the critical role staff play in IT security.  In this post, I focus on the role of planning and policies in IT security.
1. Does your organization have IT security policies and do you enforce them?
Technology can do many things. IT wizards have a host of tools to secure your data, success or failure often comes down to the end user. Good IT policy must be pushed from the very top of the organization. Such policies should be reevaluated periodically. They must also be enforced and upheld by everyone in the company.
Remember that leadership sets the tone and if a policy is neglected or outright ignored, other users will be less likely to give it the needed weight. Even the president of your company and the top VIP’s must follow security policies. Even your tech support team, often notorious for dodging the rules, should be held accountable.
IT security polices should include (but are by no means limited to): password policies, BYOD (bring your own device), use of passwords and physical security (many of these are covered later). Policies only help secure your network if people follow them.
Resources:

• Creating an Information Systems Security Policy
• Information Security Policy Templates
• How to create a good information security policy
• The IT Security Policy Guide (PDF)

2. Does your organization have a password policy?
While this may seem like a no-brainer, every company needs a good password policy and it MUST be enforced. Users should have to reset passwords every 60 to 90 days, and passwords should be complex.
Beyond that, consider where these passwords are recorded both on a personal level (no sticky notes under the keyboard) and as a company (where does that Excel file live? Is it protected? What happens if you lose it?).
Resource: Password Security – Tips & Tricks
3. In terms of IT planning, do you have a business recovery and backup plan?
Part of a good security plan is planning how to recover from a problem. While  you can start the discussion with hackers in mind, stopping there is not prudent. There are a host of things that can bring down your network, and you should have a backup plan.
If you can’t answer the following questions (or find someone in your company that can) you should look outside your organization for help:

• Do you have a disaster recovery plan?
• Do you have backups? How do they work?
• Who is in charge of them and how are they maintained?
• How is data restored if there is a loss?
• In the event of a catastrophic system failure, how long can you afford to be down?
• How long will it take you to get your network backup and running?

Resource: Planning for Disaster

---

This is Part 2 of a blog series on IT Security Best Practices. Feel free to comment below to share your questions and ideas on the topic. Join us for the webinar on July 25 on IT Security Best Practices.