Creating an Information and Data Security Policy
The importance of safeguarding your company’s and your company’s customers’ data is obvious. Since I wrote about data breaches a year ago in regards to how to place a security freeze to prevent identity theft, the list of prominent organizations who’ve suffered from data breaches is long. Disney, Hillary Clinton’s campaign, the Democratic National Committee, the University of Connecticut, hotel(s)… the list goes on – and that’s just in the last 45 days!
Your company can reduce the risk of a data breach by having strong data safeguards in place. A great way to disseminate these data safeguards with an Information and Data Security Policy in your employee handbook. This article covers an overview of all the different information that you may want to include in your data security policy.
Most data breaches do not happen as depicted in the movies. They typically start with access to one person’s account via social engineering and spread from there. That’s why it’s important that every employee puts in the effort to keep their accounts secure.
Your IT staff should decide how passwords are created, stored, shared, and communicated. Many companies use services like 1Password, Dashlane, or LastPass to accomplish these tasks. If you do use those services, make sure employees know how to set them up and use them.
Other Secret Information
Provide guidance on how employees can securely communicate sensitive information, such as credit card numbers, social security numbers, license keys, and so on. This information should never be written down on paper that can be misplaced or stolen, and it should not be recorded in any software that stores it forever (like email).
There are many things to consider for how to handle security for your IT infrastructure. Your IT staff will likely have a list of things to communicate. In general, here’s what should be covered.
How to use IT infrastructure. You probably want to mention things like:
- No malevolent hacking.
- No illegal activity.
- Keep confidential information safe.
- Respect copyright laws.
- Keep your web browsing PG-13.
Be clear that your company owns all IT infrastructure (hardware and software) distributed to employees and that you have the right to access and/or monitor it at any time.
Most company devices are used for some amount of non-work related activity. Employees should be informed of any requirements around this use. If there’s a lot to say, consider creating a separate “Communication Systems and Acceptable Use” policy. Stand-alone BYOD (Bring Your Own Device) policies are fairly common nowadays as well.
If your company, like ours, stores confidential information on software or hardware you’ve created, you should outline how that data is secured. Describe rules/guidelines around:
- Password management for your servers and databases
- Software updates (how and when)
- Database backups
- Application security best practices
- API keys
- Access control to the databases, code, servers, and physical hardware
- How activity is logged and who can access that data
- Intrusion detection
Tell employees about a VPN, the company’s WiFi, or any requirements when using public WiFi.
That about wraps it up. A good Data Security Policy will go a long way towards helping your employees keep confidential information secure. Every employee handbook should have one! For that reason, we’ve added a basic one to the starter handbook that every new Blissbook customer gets when they sign up.
If you want to see a specific example policy, take a look at our Information and Data Security Policy.