How to Protect Your Company From Security Threats: Proven Template and Policy and Procedure Software


IT security is a complex business function that’s often lacking in many businesses. One of the most common elements that’s outdated or missing altogether is a set of comprehensive security policies that people actually know about and follow.

IT security policies are certainly not “fun” to write. They can be very difficult to put together – especially if you’re not sure where your risks are or don’t have the proper people on board. It’s easy to write policies in a way that’s not very effective. The policies end up being there for show (i.e. during IT audits) but there’s no real substance behind them to actually work towards minimizing your overall IT risks.

That said, if you have the support of management, understand what’s at risk, and are looking for a way to make your security policies reasonable and enforceable, here’s a template you can use to make things happen:

  • Introduction- Introduce the IT/security topic covered by the policy such as passwords or mobile computing
  • Purpose- High-level summary of what the policy is attempting to accomplish
  • Scope- The specific departments, systems, people, and business functions that full under the umbrella of the policy
  • Roles and/or responsibilities- List of who is involved in managing or enforcing the policy and/or the specific tasks each person is responsible for. Ideally, identify roles by job title rather than specific name(s). (Note: this step can also be automated with policy and procedure software)
  • Policy statement- The actual policy wording that states “this is what and/or how we do things here” – a paragraph or two at the most.
  • Exceptions- Departments, systems, people, and business functions the policy does not apply to
  • Procedures- Specific actions for implementing or enforcing the policy
  • Review and evaluation- When and how the policy will be evaluated/audited for compliance
  • Sanctions- The consequences of not complying with the policy.
  • References- Applicable security or privacy regulations and IT security standards or even your employee handbook or related procedures that are documented elsewhere (i.e. in your incident response plan)
  • Revisions- Information on changes made to the policy (i.e. who, when, and why)

Don’t try to cram all of your policies into the above template. This approach will only serve to create complexity and lack of buy-in – two things you don’t need! For the sake of simplicity, have a single policy document for each IT security policy (you’ll likely have a dozen or so). You might also want to consider investing in policy and procedure software to have a central repository for storing all of your IT security policies. Policy and procedure software will allow you to track version control, attestations and assigned policy updates, as well.

If you follow this approach and ensure the right people keep your IT security policies well-maintained and follow through to enforce the policies when necessary, you’ll know that you’re heading in the right direction to control the things that can be controlled in IT, and that’s huge.

Topics:  Cyber Attacks, Cybersecurity, Data Breach, Data Breach Plans, Data Protection, Electronically Stored Information

Published In: General Business Updates, Privacy Updates, Science, Computers & Technology Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© The Network, Inc. | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »