Security Policy Compliance and Testing Guide

Security Policy Compliance and Testing Guide
Page content

Determining Your Data Security Policy

Having a security policy is vital for any business that employs one or more individuals. Such a policy will determine exactly how computers, data and any related hardware (mobile phones, printers) can be used. The idea is that a data security policy will outline any restrictions of use as well as specify requirements for passwords and usernames, restricted websites and other online services as well as confirming what security is required for the corporate network.

A data security policy should be looked upon as a statement of intent and a list of instructions. Some elements that are included in the policy may not yet be implemented, but they should be treated as if they are.

Communicating Policy to Colleagues

Once a data security policy has been discussed, outlined and drawn up, it should then be published and communicated to employees and colleagues.

This is the most difficult aspect of developing this type of policy, as many employees will be largely apathetic to the requirements. As such, communicating the policy through security awareness training is vital so that employees can say that they know what the security policy is.

The policy should also include details of the incident management process, and this should also be communicated to employees along with the organization’s own responsibilities concerning workplace privacy and the law.

Email Security Policies

One area that should not be overlooked is in the use of email. This popular communications method can be used to send single words or entire reports. Either may be commercially sensitive, which is why it is a good idea to have a restriction on the type of data that can be sent by email.

A common approach is to implement email scanning software that detects spam, inappropriate messages and attachments, then holds them for review by a mail administrator. This will usually occur with both incoming and outgoing email messages.

Sharing Data Securely

Whether you’re sending data via email, saving it to a USB Flash device or portable hard disk drive or even printing it out, the secure sharing of data should be a vital aspect of your data security policy.

Smartphones should be secured using dedicated software as well as the old fashioned method of signing the equipment in and out, while a full and clearly explained policy for the use and security of fax machines should be included and disseminated.

Similarly, Flash drives should be labeled with serial numbers so that they can be signed out, while the positives and dangers surrounding cloud computing should form a major element of your security policy.

When Data Privacy is Vital

In certain situations, the data stored by your organization may only be viewed by certain people. For instance, you may be working in the healthcare industry, or as a contractor to a defense department. In these situations a standard data security policy will need to be enhanced for the duration of the contract.

Various additional material will need to be added to the policy concerning privacy and communicating personal data in a non-identifiable manner (for instance by removing names and addresses from patient-based reports).

Security Testing

Before you’re ready to draw up and implement the security policy, however, you will need to be aware of some of the testing tools and requirements that can be used for ensuring your network and systems are up to scratch.

There are various tools available for auditing your network security, but the best examples are those that test your network’s resilience to penetration testing and brute force intrusion.

Unfortunately, the mistake of many organizations is to assume that the threat will come from outside. In fact, many data breaches occur due to lost or stolen hardware or even physical intrusion into offices or server rooms.