Organisations need well designed IT security polices to ensure the success of their cyber-security strategies and efforts. The lack of an IT security policy can result from various reasons, but more often than not, include limited resources to assist with developing policies, slow adoption by management, or a lack of awareness of the importance of having an effective IT security program in place.

What is IT Security?

Good IT security prevents unauthorized disclosure, disruption, loss, access, use, or modification, of an organisation's information assets. Without information security, an organization's information assets, including any intellectual property, are susceptible to compromise or theft. It is important to keep the principles of confidentiality, integrity, and availability in mind when developing corporate information security policies.

Why is an IT Security Policy needed?

The goal when writing an organisational information security policy is to provide relevant direction and value to the employees within an organisation with regard to security. The aim of IT security policies is to address security threats and implement strategies to mitigate IT security vulnerabilities, as well as defining how to recover when a network intrusion occurs. Furthermore, the policies provide guidelines to employees on what to do and what not to do. The following are some core reasons why your organisation should have IT security policies in place:

  1. IT security policies define what is required of an organisation's employees from a security perspective;
  2. IT security policies reflect the risk appetite of an organisation's management and should reflect the managerial mindset when it comes to security;
  3. IT security policies provide direction upon which a control framework can be built to secure the organisation against external and internal threats;
  4. IT security policies are a mechanism to support an organisation's legal and ethical responsibilities;
  5. IT security policies are a tool to attribute responsibility for compliance with expected behaviours with regard to information security.

What should it include?

IT Security Policies should be developed with a multi-layered approach. In light of this, there are nine topic areas which can be addressed.

  1. Acceptable Use Policy
  2. Confidential Data Policy
  3. Email Policy
  4. Mobile Device Policy
  5. Incident Response Policy
  6. Network Security Policy
  7. Password Policy
  8. Physical Security Policy
  9. Wireless Network and Guest Access Policy

The above are the minimum policies an organisation should have in place in order to have a sufficiently robust IT Security program.

As a first step to IT security policy development, start looking at the current IT risks and network vulnerabilities of your organization. A good way to identify your risks is to have an outside consultant conduct a vulnerability assessment for your organisation.

The purpose of having IT security policies in place is not to adorn the empty spaces of your bookshelf. IT security policies can become outdated over time if they are not actively maintained. At a minimum, IT security policies should be reviewed yearly and updated as needed.

Does employee monitoring help with your IT Security?

In today's era of digitalisation, there are countless data points which employees have access to edit or download or even share with others. As an employer, you will have to guard the company as well as client data within as well as beyond the office premises. In the same breath, your employees have the fundamental human right to privacy and respect for private life – therefore, when implementing your IT Security policies, it is important to keep in mind that a balance must be struck. In light of this, as an employer, you may only collect data relating to an employee through monitoring (e.g. internet usage or access to employee emails) under strict conditions and only for legitimate purposes, with the processing taking place under appropriate conditions, such as where it is proportionate, necessary, lawful and transparent. This may be done through a section within the IT security policy which informs employees that an employer may access certain personal data such as internet usage or emails when there is a reasonable suspicion to do so.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.