This time, we will be discussing information security policies consideration for IT systems. In our previous article, we discussed policies involving security for non-IT systems. This aims to protect and limit the distribution of confidential data only to those with authorization, or the unlawful use, disclosure, disruption, deletion, corruption, modification, inspection, recording, or devaluation of information. These policies are applicable for both IT and non-IT systems.
Information Security Policies for IT Systems
An asset policy considers any system or storage devices that can access or store information. This is one of the information security policies that have details on how to properly issue and track any authorized devices, how to keep them up-to-date and maintained, and their acceptable use and handling guidelines for personnel. This may also detail how to store these assets when not in use and how to dispose of them when they are no longer of use in a secure way that prevents data compromise.
Network & Communication Security
This policy should contain information regarding how a company’s IT network is set up, including services used and how to separate network systems from one another. Additionally, you may wish to contain your guidelines for retention and usage of e-mail, chat applications, and transfer of information over a network. Finally, you may wish to include confidentiality and non-disclosure rules for network communications.
System Administration & Maintenance Security
It is extremely important to keep IT systems fully up-to-date on patches and firmware updates, to ensure that devices are set up to be safe on the network they will reside on and potentially on the public network in the case of portable devices, and other maintenance to ensure your systems are fully protected. This is one of the information security policies that have details on how and when to perform such maintenance activities and how to acquire systems in such a way to ensure they will have the most robust protections necessary.
This policy guides your personnel on how to perform daily work and ensures a secure operational environment while doing that work. This will generally involve setting up change and capacity management, protections against installing malware and unauthorized software, system backups, and system audits, in addition to other network considerations.
Incident Response Plan
An incident response plan contains the steps to take to determine if a security event has a large enough impact to be considered an incident that needs a full response. This plan should guide the incident response team through the steps necessary to ensure that the incident is contained without causing further damages, and responded appropriately with regards to all legal and contractual obligations.
Disaster Recovery & Business Continuity Plan
Disaster recovery and business continuity plan address what actions will be taken in the event of a serious incident impacting the organization to such a degree that a recovery period and non-standard work environment would be necessary.