Call center. Sales. IT. R&D. Your employees, in every department, are the most important defense in protecting information about your company and its customers. Information security involves systems and technology (safeguards against malicious interlopers), but it also relies on clear communication. According to CIO’s Security Worksheet, an online survey of 458 IT professionals developed with security experts at @Stake, only 28.2 percent said their organization had a companywide security policy. Only 37.6 percent label documents in terms of their security status, and 21.8 percent specify how sensitive company documents should be treated.
1. Put people first.
It may be an old Bill Clinton campaign slogan, but it holds for security policies: You’ve got to get workers on the right page. “Employees are your security,” says Mudge, which is the nom de guerre used by the vice president of R&D at @Stake in Cambridge, Mass. “They are your potential leaks, but they are also the people you rely on to keep policies in place and to point out possible problems.”
2. Identify core business assets.
A well-defined security policy reflects the company’s core vision and reinforces what matters to the company from a financial and business stance, Mudge says. Assess what is most important to your business. Identify core business assets and what level of security these assets warrant.
3. Develop labeling guidelines.
Once you know what you have and what needs protecting, designate how to treat each information asset. Classifications could include public record (available to all), company confidential/proprietary (accessible to staff) or classified (available only to certain employees).
4. Specify handling rules.
Consider how company information travels?across your network, data and voice lines, via cellular phones and wireless PDAs. Then specify how information needs to be treated, including how it will be marked (top of document, watermarked paper), transmitted (encrypted, no wireless access), stored (secured servers or locked file cabinets), destroyed (shredded or deleted) and disclosed or released.