Written Policies

In All by Alex Kallimanis

For many the most daunting aspects of information security are the policies that shape the IT practices of the business. This “Information Security Program” builds a written framework that defines everything from individual user permissions to disposal of old equipment.

Why Does a Company Need an Information Security Program?

Having and following an Information Security Program is the framework of any good IT policy. These policies state how a company will secure and protect data from threats. The policies also outline who is responsible for what actions; for instance, who is going to take the nightly backups for the file server. In order to safeguard data from threats there are a number of factors that your MSP should consider.

For Instance:

  • The size of your company (number of users)
  • Your industry
  • The amount of data you have currently
  • Data expiration date
  • Virtual commuters
  • BYOD
  • Frequency/location of backups
  • User permissions

What was originally started as Best Practices within the IT sphere has developed into a full-fledged industry. Each piece of the Information Security Program protects your business in the event there is an audit for “mishandling” data. To protect their data industries have come up with various regulations; public companies employ Sarbanes-Oxley, medical companies use HIPAA regulations, and financial corporations adopt FFIEC policies. These regulations are applied either to the information the company stores on its own behalf or for the client that it is representing.

Who Does What?

Laying out the responsibility of every party in the Information Security Program allows everyone to know what they are and are not responsible for. Once implemented the internal IT policy becomes an HR and Management issue. These responsibilities can consist of but are not limited to:

  • Hiring policies – determining security clearances, email addresses naming conventions
  • Employment policies – background checks
  • Password Policies – password complexity, special characters, regular password changes/updates
  • Scheduling awareness training – cybersecurity, best practices
  • Fixed asset policy – purchasing and disposal of electronic assets

Meanwhile your managed services provider takes care of all of the technical aspects of your network including:

  • Maintaining software licensure
  • Administering operating system upgrades
  • Monitor uptime and system hardware
  • Replacing bad components and providing solutions when something is going wrong
  • Setting up backup schedules
  • Setting user permissions
  • Installing optional firewall software and enhancements

Contact the team at First Service Carolina today to speak with a representative about implementing an Information Security Program at your business.