Security Policy Development

IT Security Policy Development

Some companies don’t have them.  Others just use generic templates.  Few have custom-written security policies specific to their company and processes.  Even fewer have policies that are updated and currently applicable.  We can change all that with our Security Policy Development service, which will allow you to:

  • Comply with major regulations that require written security policies, such as HIPAA, PCI, Sarbanes-Oxley, and others
  • Detail usage policies for critical technologies
  • Deploy custom policies that were developed in consultation with you, reflecting your company’s needs and culture
  • Communicate to your users the company’s expectations for using IT resources
  • Educate users on secure and responsible network use
  • Reduce your risk by having written policies

Service Details:

We consult with you to determine your security policy needs, and then generate policies to cover your network technologies.  Policies are custom, but generally include some or all of the following:

Acceptable Use Policy
This policy communicates to users how the company expects them to use the network. This policy covers such areas as personal use of email and the Internet, blogging, social media, excessive use, peer-to-peer file sharing, personal storage media, user software installation, instant messaging, monitoring, copyright infringement, prohibited activities, and much more.

Network Security Policy
This in-depth policy is by nature the most technical, and states the company’s policies on its security infrastructure. It covers such topics as: use of antivirus software, server patch management, default installations of systems, vulnerability management, logging, network segmentation, router/firewall/switch security, and more.

Confidential Data Policy
This policy identifies what the company considers to be confidential data and specifies how that data should be handled. It covers such topics as access, encryption, transmission over the network, storage, backups, third-party access, and more.

Data Classification Policy
This policy sets guidelines for how the company deals with different types of data. Data is classified into categories, with security standards set for each on the storage, transmission, and destruction of information in each category.

Data Retention Policy
This policy covers standards on storage, retention, and destruction of the different types of data (as classified by the Data Classification Policy).

Incident Response Policy/Incident Response Plan
This policy specifies exactly how the organization will respond in the event of suspected security incident. This policy defines security incidents, both physical (such as the loss of a laptop) and electronic. It includes preparation plans, response activities for different scenarios, and forensics/recovery based on your stated goals.

Email Policy
The Email Policy sets the company’s standards for appropriate, safe, and effective email use. It covers the company’s email system in its entirety, including desktop and/or web-based email applications, server-side applications, email relays, associated hardware, and all electronic mail sent from the system.

Mobile Device Policy
This policy communicates the company’s position on the responsible use and security of mobile devices such as laptops, smart phones, and removable storage media such as flash drives.

Remote Access Policy
This policy states the company’s position on accessing the corporate network remotely. It covers such topics as: permitted use of the network from remote sources, prohibited actions, use of VPN/encryption software, and accessing the network from non-company-provided computers.

External Connection Policy
This policy covers how the company connects to remote sites or business partners with site-to-site VPNs or direct telecom/datacom connections. Includes such topics as authentication, encryption, management, logging and monitoring, access restrictions, and audits.

Physical Security Policy
This policy sets standards for the physical side of securing IT assets, including the creation of security zones, access controls, physical data/system security, minimizing risk, entry security, and more.

Outsourcing Policy
This policy outlines the company’s policy on the use of outside vendors, consultants, or managed service providers to handle certain functions of IT. It covers the decision to outsource, provider evaluation, and security controls associated with outsourcing.

Wireless Usage Policy
The Wireless Usage policy states the company’s position on use of wireless networking, including installation and configuration guidelines, access to confidential data, and inactivity.

Guest Access Policy
This policy states the company’s standards for allowing guests, such as contractors or visitors, to connect to the corporate network. The policy covers AUP acceptance, account use, security of guest machines, guest infrastructure requirements, and more.

Encryption Policy
This policy specifies the company’s encryption standards and covers how encryption is to be implemented. It includes applicability of encryption technology, key management, minimum strength of encryption, and legal use.

Password Policy
This covers the minimum acceptable standards for secure network authentication, including password standards, use, and frequency of change. The policy also includes user guidelines for creating secure and easy-to-remember passwords.

Backup Policy
This policy presents the company’s backup strategy, including identification of critical systems and data, frequency of incremental and full backups, responsibilities of backup administrator, storage of backups, offsite rotation, restoration procedures, and more.

Network Access and Authentication Policy
This policy covers the corporate standards for accessing the network, and covers such topics as account setup and use, authentication methods, minimum configurations, off-hours access, and more.