Information is the lifeblood of any large or small company. You have customer lists, accounting information, correspondence, and other critical information on computers. If your company is typical, there is a network connecting these computers and probably a connection to the Internet. Protection of your information from loss and theft is often handled in an ad hoc way.
Your company needs a computer security policy to help protect this information. A policy for your employees on safe computing and information protection is as important as a firewall. A computer security policy is also known as an “information assurance” or “information security” policy.
What about the legal arguments for and against written policies? On one hand, company lawyers often warn their clients that poorly written policies can become main points of contention during litigation when the opposing side (usually an employee) alleges the company violated its own policy. However, policies that are well-written should protect against these claims and not be a problem. On the other hand, companies that don’t have written policies end up with less legal protection in cases such as sexual harassment, which often use e-mail for evidence, or unintentional customer information disclosure.
The Supreme Court has ruled that companies can protect themselves from liability by having clearly written policies. As a general rule, any company that has 15 or more employees should have written computer security policies.
Policies are legal documents, so before implementing a computer security policy, you should consult with an attorney.
There are four major areas that should be covered in a computer security policy.
1. Authority, Responsibility, Scope
This section of your policy starts with a clear definition of where the authority for the policy is derived. In a small company, it may be derived from the president. In larger organizations, the authority usually comes from the board of directors. This section clearly defines who is responsible for information security and assurance. Furthermore, it defines the scope of the policy (what it controls) and to whom the policy applies.
2. Confidentiality and Information Protection Agreement
All company employees and contractors who require access to the company’s computer facilities should sign an applicable agreement on an annual basis. Employees who sign this agreement acknowledge that they have read and understand the policy. This section of the policy states the requirement for signing an agreement and specifies penalties for violation. It also sets the legal basis for company ownership of all information and communication performed on company equipment or by employees or contractors in the course of their jobs.
3. System Protection
This section defines how information is protected by the company and employees. It provides the guts of the policy by defining both external and internal security issues:
- External security: The policy should provide guidelines for physical protection of information and information assets (backups, computers, network equipment) as well as establish the need for firewalls, intrusion detection, monitoring, and so on.
- Internal security: This section defines e-mail policies (such as ownership, allowed usage, etc.), password policies, confidential information, and backup requirements and sets requirements for employee training on information protection. Don’t forget to include your phone system. It’s a vital system.
4. Incident Response
This part of the policy should state who is responsible and what to do in the case of a breach or loss of data and how and when media should be contacted.
John C. Shovic is a partner in Coeur d’Alene, Idahobased MiloCreek Consulting.