In this article, I will share an example where some points are explained about what should be considered when establishing a security policy that has the purpose of protecting the information for your company.
GILBERTO ACUNA
For around 20 years I had the opportunity to manage the IT infrastructure and information security in one of the most important soft drink bottling companies in Mexico, and also to protect the information and the infrastructure of 90+ servers and more than 2,600+ computers.
Having a good security policy is very important to guarantee the continuity of the company’s operations since it reduces the risks of information loss by avoiding activities that could harm the company.
Below I will comment on what in our opinion should be part of said security policy. Undoubtedly, a good information security policy must reflect the philosophy and way of thinking of the company and must be consistent with it.
This article is intended as a guide, on which you can begin to establish your own policies.
IT Security Policy for Small Business
First, you need to say very clear that all the computer equipment, devices, software are property of the company.
Information Security Policy Example:
“The computer equipment, electronic devices, software and systems, which are property of the company, should only be acquired, installed, updated and uninstalled by the Information Technology Department.”
Comments:
It is important that it is well established that any computer equipment is the property of the company and only Information Technology personnel are authorized to acquire, install, update and uninstall it. This is to prevent anyone from taking action, as only IT personnel have full knowledge of the best configurations for company computers.
About using unlicensed software
Information Security Policy Example:
“The use of unlicensed software is not allowed, because it is illegal and creates liability for the company.”
Comments:
No doubt, the installation, and use of unlicensed software should not be allowed under any circumstances, so you must be very strict about this, as it can have very serious consequences for the company.
About using computers, software and internet, for personal matters
Information Security Policy:
“It is allowed the personal use of the computers, devices, software and internet, that are property of the company, as long as it is in a professional manner that does not interfere with the normal activities, significant consumption of resources or that interferes with other people’s activities. “
Comments:
It is very important that you clearly define whether or not you can use the computer equipment, accessories, programs and the Internet that are owned by the company for personal use.
About using personal devices inside the company's facilities
Information Security Policy:
“It is allowed the use of personal accessories, such as cell phones, iPADs, USB devices, etc. in the company, although they should be used under the supervision of the IT team, to avoid that their use could affect the operations of other equipment in the company .”
Comments:
The security policy should also clearly establish whether or not to allow the use of personal accessories on company computers.
In our case, we do allow it, since in these times everyone uses their cell phone for work matters as well as personal matters, which in some way allows employees to carry out work activities from their home.
However, by allowing cell phones to be connected to the company’s wireless network, it can involve various computer risks, which must be done with caution and IT supervision, since any virus can spread rapidly without control.
About monitoring the use of computers and resources
Information Security Policy:
“The company can monitor the use of computer equipment, email and internet to determine if they are used in accordance with established standards.”
Comentario:
The company can use the appropriate tools, and all company employees must be informed that the company reserves the right to monitor the proper use of computer equipment, so that the provisions of this policy are complied with and ensure information security.
IT Security Policy for Small Business
Not having strong and secure passwords are still one of the main risks for your information.
Characteristics of strong passwords
Information Security Policy:
“A strong password must have at least the following characteristics:
– Minimum length 8 characters composed of letters, numbers and symbols
– Confidential, do not share it with anyone
– Change it at least every 3 months “
Comments:
We recommend not using passwords that consist of the date of birth, names of relatives or pets, sequential numbers, etc. Instead, the first letters of a sentence can be used. For example, from the phrase: “Pedro was born in January * 2015”, the following password “PwbiJ*2015” would result.
About disabling accounts after a certain number of unsuccessful attempts
Information Security Policy:
“About disabling accounts after a certain number of unsuccessful attempts.”
Comments:
In the case of Windows, we recommend configuring in such a way that user accounts are disabled after 5 unsuccessful attempts to enter the network, due to the use of the wrong password. In the case of IOS, this configuration is automatic.
About the passwords for Systems and ERP's
Information Security Policy:
“Similarly, this rule about disabling accounts also must apply for Systems and ERPS’s.
Comments:
In the case of Systems, such as an ERP, we also have to remember to enable this configuration to avoid possible unauthorized access.
About using different passwords for company matters, instead of using personal passwords
Information Security Policy:
“We recommend not using your account and password that they normally use to access the company network, on Internet sites or on other computers that are not owned by the company.”
Comments:
Ideally, it is better to separate what is business from what is personal. In this case, we recommend using different passwords, both for business-related matters and for personal matters.
IT Security Policy for Small Business
E-mail continues to be an important source of hackers, spam, or scams, so you always have to be very careful about how to use this tool properly.
About emails with suspicious content or SPAM
Information Security Policy:
“Any email that you are not expecting with suspicious content, that has not been requested and that contains advertising, offers, etc. must be eliminated (this activity is known as spam) even if it is from someone you know, and they must be eliminated immediately unopened.”
Comments:
Emails that have content or that include a suspicious link should be deleted immediately without opening, since it is highly likely that when opening said link, a security breach will open that compromises personal information. Similarly, the propagation of emails called SPAM, or junk emails, which are normally received because the email account was used to register on various internet sites, should be avoided at all costs.
About preventing Phishing, avoiding providing personal and banking information
Information Security Policy:
“Avoid providing your confidential personal data or information related to your credit card through an email, since this activity is known as phishing and it is a common practice to deceive people. This activity is known as Phishing.”
Comments:
It is very important to avoid, sending by email, text message or WhatsApp, any type of confidential information, such as your social security number, your credit card information, or bank account, since we never know if that message or email can be forwarded later and fall into the hands of people who may misuse that data.
About the maximum recommended size to send attachments by the email
Information Security Policy:
“In general, a recommended size of an email is less than 25 Megabytes, including all attachments. When you send an image or photograph, reduce the size first. If you want to send larger files, you can use G-Suite or any other similar , and the IT staff will help you submit it.”
Comments:
Sending one or more large attachments is always a problem, whether it’s PDF or images. In the case of G-Suite, it will automatically place the attachments in Google Drive and send a link from where the recipient can download said documents.
About periodic deletion of unnecessary emails
Information Security Policy:
“Periodically delete unnecessary emails. Save those that you really need for further reference.”
Comments:
It is important to frequently delete junk or no longer needed emails, to keep only those that may be required in the future. Similarly, it is recommended to enable the SPAM folder policy to automatically delete emails that stay there for a maximum of 7 days.
About not using your signature in emails or attached documents
Information Security Policy:
“Your signature should not be included in emails or attached documents.”
Comments:
If you need to sign a contract, it is better to use digital signature platforms, such as DocuSign, otherwise, it is not convenient to include your digitized signature in the emails or in your attached documents.
About using the security embedded in email platforms to guarantee the confidentiality of your emails
Information Security Policy:
“We recommend not using your account and password that you normally use to access the company network, on Internet sites or on other computers that are not owned by the company.”
Comments:
Platforms such as G-Suite or Microsoft Office, offer a level of confidentiality that must be used to send emails that are considered confidential. When writing an email, you can enable the confidentiality option, to significantly increase the security of your sent messages. Similarly, a PDF can be used to increase the security of confidential documents.
About not using company email for personal matters
Information Security Policy:
“Do not use your company email account for personal matters. Better use another account which can also be useful as a backup to the company email.”
Comments:
Ideally, it is better to separate what is business from what is personal. In this case, we recommend using different passwords, both for business-related matters and for personal matters.
IT Security Policy for Small Business
The Internet continues to be the main source of risk, for which the following policies should be established.
About a restricted use of the Internet
Information Security Policy:
“Access to people or equipment that does not require it must be prohibited from the firewall.”
Comments:
Access to this service should not necessarily be automatically granted to everyone, so for some people or computers this access may be restricted or even without access.
About social media and web sites with inappropriate content
Information Security Policy:
“The same way, access to internet sites with inappropriate content or to certain social media should be not allowed.”
Comments:
Social media is a powerful communication tool, but not necessarily for everyone. If there is no valid business reason, this service should be restricted to certain people.
Avoid transactions on internet sites that are not considered safe
Internet Security Policy:
“Before making any transactions on any web site, verify that the site is secure. A secure site can be identified easily in the following way: instead of http enter the https address of the page (that is, with the letter s of security), and you can see that a padlock will appear which indicates if that it is a secure site.”
Comments:
Everyone should know the difference between a secure site and one that is not. Transactions on sites that do not minimally meet security requirements should be avoided at all costs.
About implementing strict controls access right from the firewall and VPN
Information Security Policy:
“Any access both outbound and inbound to the company, must be restricted from the central point as is the access firewall.”
Comments:
The IT department must constantly monitor any event of unauthorized entry, for which the security of access from the main firewall to the company must constantly be reinforced.
If they have VPNs, they must also be monitored in order to detect unauthorized or suspicious traffic in time.
IT Security Policy for Small Business
Sending confidential messages through messaging tools, such as WhatsApp, or any other, represents another possible security gap, so it should also be considered as part of the security policy.
Use of messaging tools for business
Information Security Policy:
“You must use the authorized tool to send messages that are owned by the company.”
Comments:
Tools such as Google Hangouts and Microsoft Teams offer additional security by being part of the G-Suite and Microsoft Office platforms. In this case, these types of tools should be used to transmit confidential information. In addition, all these messages are automatically saved as part of the platform, therefore, in the event that a collaborator stops working for the company, these company-owned messages will always be available.
IT Security Policy for Small Business
It is the responsibility of each person to ensure that the information is always backed up and that it is done correctly. You can use the cloud, other computers on the same network, an external disk or a USB memory.
About who is accountable of the backups
Information Security Policy:
“It is the responsibility of each person to ensure that their information is always backed up correctly, for which they can use other equipment connected to the network, such as NAS, the cloud like Google Drive, or USB memory devices.”
Comments:
Platforms such as G-Suite includes backup tools, such as Backup and Sync, which allow the information stored on computers to be synchronized in the cloud automatically. The same goes for email. It is recommended that you ask IT staff about these backups.
IT Security Policy for Small Business
When you share information from your computer or the cloud, you also have to do it in a secure way, since it is another source of risk and someone could read your information without authorization or delete it by mistake. Follow these recommendations:
About access permissions to your shared folder in the cloud
Information Security Policy:
“Assign permission only to the person to whom you want to share your files, preferably read only, avoiding doing it in a general way for everyone and with all permissions.”
Comments:
It is better to share a folder to one specific person, with read-only, than to grant all permissions, unless this is necessary.
Information Security Policy:
“Review previously shared folders and remove permissions that are no longer required.”
Comments:
With Google Drive or One Drive, every one must constantly review the permissions that they have previously granted, in such a way that those accesses that are no longer necessary must be eliminated, since sometimes these permissions were only granted temporarily.
IT Security Policy for Small Business
As part of the security policy, physical security should always be considered as something very important that should not be neglected. It is everyone’s obligation to always protect the company’s confidential information, such as financial information, new product launches, payroll, etc., so the following measures must be followed:
About protecting physical documents on your desk
Information Security Policy:
“Never leave confidential information on your desk in print or electronic media as it could be read by others during your absence.”
Comments:
Make sure your computer is locked before leaving your office, and as for important papers, put them away or use a paper shredder preferably “
Information Security Policy:
“In the same way, avoid leaving important documents in printers and meeting rooms.”
Comments:
Whenever you print an important document, be sure to pick it up, especially if the printer is shared by other people. Similarly, take special care in meeting rooms as important documents are often forgotten there.
IT Security Policy for Small Business
Finally, we include some final recommendations, which are very important to round out all the aspects of information security. We all need to be aware that this is a never-ending task, and it is always in constant evolution.
About any suspicious behavior on your computer
Information Security Policy:
“If you suspect the presence of a virus or computer attack, you receive dubious emails, you detect abnormal slowness in your computer and in the sending or receiving of information or any other anomaly, please notify the IT Department.”
Comments:
Please always notify IT, if you think that your computer is very slow, or if you consider that an intruder may have accessed your data.
Information Security Policy:
“Only IT people can send emails and all kinds of messages related to information security, like viruses, threats, scams, etc.”
Comments:
The IT people are well enabled to send alerts about possible new viruses and threats related to information security.
Information Security Policy:
“Lock or turn off your computer equipment while you are not using it.”
Comments:
Finally, don’t leave your computer with sensitive information in plain sight. Make sure to protect your information so we can all contribute a little.
