The work environment that many organizations have today looks entirely different from the working environment they had pre-pandemic. Thousands of organizations now have their employees scattered throughout large geographical regions in environments that are not under the employer’s direct control. While the option to work remotely has saved many a company from going bankrupt, it also vastly changed both the physical and technological environment in which staff members work. While outwardly many organizations seem to be working from home fairly successfully, it is possible that their official information security policy looks exactly as it did before the pandemic, if they even had one at all.
Whether an organization had a previous ISP (information security policy) or whether they now realize they should draft one, the steps they must take to create one will likely be fairly similar since the working environment has changed for so many companies. The first step in drafting an ISP is to consider the scope of one’s business. Some organizations may interact with many vendors and/or suppliers, or they may only have a few. Other organizations have large customer or employee bases, or some combination thereof. Whatever the scope, companies must consider all the different components that could be affected by their new information security policy.
The next step is to set objectives in order to establish the overall direction of the policy, including factors such as legal, regulatory, business, and contractual security requirements. As those in charge of creating the policy gather information about the company’s operations, they must consider the structure of their risk assessment as it relates to the area they are evaluating, as well as use appropriate criteria in order to properly evaluate security risks.
Drafting the Policy
While each organization’s ISP will be unique, there are a few standard points that most businesses will likely put in their specific policy. These items include enforcing a password policy where users must meet certain requirements such as password length, the type of characters required, and how often the password must be changed.
Other key points will likely include the requirements for handling data from third-parties, employees, and customers, along with establishing guidelines that outline what employees can and can’t do, with regard to actions such as internet usage and accessing controls. Some organizations may want to take their internet security policy one step further by ensuring their new policy adheres to certification programs that pertain to their particular type of industry, or technological certifications.
Who, Where, What, Why
A finalized internet security policy may not be that lengthy. In fact, a company’s ISP may not be longer than a page or two, however, it will answer some essentials questions such as who issued the policy — meaning it is under their authority. Other questions the policy will answer include where the policy applies such as specific departments and/or locations, what the overall goal of the policy is, as well as company-specific security issues it addresses.
Lastly, it will also answer the question as to why a new policy was needed. In most cases, this will be a statement discussing how the ISP will help ensure that a business continues to protect their sensitive data while operating under a new working environment. In addition, the new ISP is intended to safeguard the continuity of the organization, while maximizing their ROI.
The world-wide pandemic forced many businesses to make drastic changes in the way they conduct their business practices, including how they secure their corporate data, along with their hardware and software resources. Although creating an ISP for their new way of operations may represent a challenge during this time of uncertainty and upheaval, informing employees how to safely navigate through their new circumstances is essential for a successful future beyond the pandemic. If you would like more on how to create a corporate ISP for your new working environment, please contact us.