Policy. The one word guaranteed to bring glazed eyes and stifled yawns to any conversation. Surely there are better things to talk about. For example, yesterday’s baseball scores or the latest crazy cat video. Plenty of organizations, be them small, medium, large, non-profit, partnerships and yes, even multi-national enterprises, exist without them, so WHY do you need them? AND, for that matter, what is a policy anyways? We will attempt to break all of this down and help you get started in the wild world of corporate policy.
In the world of information security (i.e. modern day everything), policies are better than gold. They are more important than your WiFi password, even more crucial than the employee of the month parking space right by the door. Too many companies view policies and procedures as a necessary evil, without first considering their true purpose. Policies are not intended to turn a company into a zombie workforce, quietly droning away day after day in the corporate machine. Their purpose is to outline a standard of operation in the course of a specified event. An effective policy should outline what employees must (or must not) do.
Policies answer questions like: What? Why? A procedure is the counterpart to a policy; it is the instruction on how a policy is followed. A policy defines a rule, and the procedure defines who is expected to do it and how they are expected to do it. Procedures answer questions like: How? When? Where?
Information has always been an asset, since time immemorial. The majority of which is now digitized and stored on computer systems connected to a network. This makes the information vulnerable to attack, to which no system is completely immune. Having an information security policy is therefore essential for any organization wanting to protect its data as well as strengthen its position in the market. Here are 4 reasons why.
- It increases efficiency
The best thing about having any kind of policy is being able to operate with some level of consistency, and consistency is key to efficiency. This in turn saves time, money and resources. With an information security policy in place, all new employees can be brought up to speed with company guidelines as soon as they are hired. The policy should inform workers of their own individual duties, telling them what they can and cannot do with respect to any sensitive information. It should also lay out a clear procedure to be followed in the event of a breach, thus minimizing fallout.
- It upholds discipline and accountability
Human error is will happen. When it does happen, and a system security is compromised, an information security policy will back up any disciplinary action as well as supporting a case in a court of law. In essence, it acts as a contract that proves an organization has taken steps to protect its intellectual property, as well as that of its customers and clients.
- It can make or break a business deal
It is not unusual for companies to be asked by other vendors to provide a copy of their information security policies when making a business deal that involves the transference of sensitive data. This is especially true of bigger businesses wanting to ensure their own security interests are protected when dealing with smaller businesses less likely to have high-end security systems in place. Having a comprehensive up to date information security policy to hand can literally make or break a deal.
- It helps to educate employees on security literacy
A well-worded information security policy can also be seen as an educational document that informs readers of the importance of taking responsibility for their own role in protecting company data. Everything from advice on choosing the right passwords, to providing guidelines for file transfers and data storage, will help to increase employees’ overall awareness of security and how it can be strengthened.