An organization’s security policy sets the standard for the way in which important business information and systems will be protected from both internal and external threats. Thus, all policies must be up to date and in line with the organization’s goals and objectives. 

In our previous post, we took you through a guide for creating effective security policies for your business. Coincidentally, lawyers in Nigeria convened a Privacy Conference to discuss Startups and Data Protection where the importance of implementing security policies was discussed. It is also important to note that the effectiveness of any of these policies would depend on how contextualized the policies are.

The best time to implement internal policies is at the inception of your business and the next best time is now, here are a few policies that every SME must implement to keep their information systems safe:

Acceptable Use Policy

This policy specifies the standards for using a computer. It is used in business operations to fulfill the interests of the SME and/or its clients. The AUP defines the risks and consequences associated with the improper use of information systems. For example, inappropriate conduct can lead to legal consequences. 

Remote Access Policy

This policy is designed to reduce the risks that may arise from exposure and use of unauthorized resources. Remote access means connecting to the SMEs network from any host, this means the policy should include provisions for sending or receiving emails, requirements for VPN access, disk encryption, and intranet resources for all employees. 

Password Creation and Management Policy

This policy provides a framework on developing, implementing, and reviewing a documented process for appropriately creating, changing, and safeguarding strong and secure passwords used on a SMEs information systems. The policy should enforce the use of strong passwords and training members of staff in a SME on how to choose their passwords. 

Access Authorization, Modification, and Identity Access Management

This policy requires the organization to create and document a process for establishing, documenting, reviewing, and modifying access to systems and sensitive information. In implementing access authorisation the organizations rely on the Principle of Least Privilege (PoLP). This is the theory that users and systems should only be given access to information needed to complete their job. 

HR and IT usually conduct this process from the hiring to the termination life cycle of staff members. An access authorization and modification map should be created in accordance with the access authorization policy and password management policy.

Onboarding and Offboarding policy

Onboarding involves all the steps needed to get a new employee deployed and productive in their new position effectively. Offboarding on the other hand, involves separating an employee from an organization. This can include a process for sharing knowledge with new staff substituting them or other employees.

The policy specifies processes that should be followed in introducing the organization’s security policies and procedures to the new employee during onboarding. It also specifies the processes to be followed in handing over all the organization’s properties in a safe and secure manner. 

Data Retention Policy

This policy specifies what type of data the business must retain and the duration within which it will be legal to retain such data. It also states the manner in which data should be stored during and after use, and how it should be destroyed. This will help create more space in storage, and to remove outdated and duplicated data.  

Some examples of such documents are email messages, contracts, customer records, and transactional information. 

Change Management Policy

This policy bothers on the management, approval, and tracking of the organization’s information system. The change management policy includes methods on planning, evaluation, review, approval,  implementation, communication, documentation, and post change review.

Incident Response Policy

This policy is included in an organization’s Business Continuity Plan. It prescribed how members of the organization or the security team respond to information security incidents. It is often implemented after a breach of data or other security incidents.  

Security Awareness and Training Policy

This policy is usually administered to members of staff or the workforce so that they can efficiently safeguard the SMEs data and information while executing their duties. Organization management teams are encouraged to train users on the organisation’s security policy. 

The policy should cover email, and internet access policies, responsibility for computer security, and workstation maintenance. The training should address, identifying social engineering tactics, limiting system downtime, and protecting critical business information. 

Other Important Policies to Consider

• Network Security Policy
• Mobile Device Management (MDM) Policy and Procedures
• Bring Your Own Device (BYOD)
• Encryption and Decryption Policy
• SPAM Protection Policies
• HR Policy Set
• System Maintenance Policy
• Vulnerability Management Policy

A properly executed security system benefits every organization. It gives the SME a stronger outlook and reduces incidents of employees addressing security threats. It also makes the SME more fit for an audit and makes them compliant with the regulatory requirements. It also imbues accountability within stakeholders and members of the organization.