Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

What makes a good policy?  ♥

  • keep it short and concrete
  • focuses on goals, roles, responsibilities and tasks
  • covers relevant security aspects (personal, office, travel, devices, etc.)
  • clearly differentiates between what needs to be done once, regularly or all the time
  • helps the reader to take action (spells out internal support, links to resources)
  • clear link to organizational mission and identity
  • is part of the main working space of an organisation, reflects its (visual) identity
  • includes protective measures and incident response

What makes a bad policy?

  • focused only on documentation of tools
  • one that cannot be found by staff
  • can only be understood by experts, champion or IT staff
  • too aspirational and too far away from actual practices
  • quick hack of a template, bad recycling of other policies
  • is one giant document that does not differentiate between different needs and responsibilities

Goals

  • Clear standard of practice within the organization.
  • Ensure sustainability of practice
  • Creating organizational consensus
  • Establish initially and use dynamically as organization incorporates practices/environment or organization changes

Prerequisites

  • Existing workflow and program activities
  • Initial assessment, including resources
  • Priorities
  • Organigram
  • Helpful:  existing templates

Elements to be included

  • Buy-in and strategy to implement, enforce, and inform policy
  • Communication policy
    • social media
    • Email
    • Chat
    • Mobile
    • Branding practices and signatures
    • PGP usage, key storage, publishing keys, subject lines
  • All should cover access control measures, levels of encryption, personal vs work usage
  • Data managements policy
    • Where is stored? (cloud, local, etc)
    • Access control (new hires, employees leaving, different levels of access)
    • Data retention
    • Data deletion
    • Backup
    • Encryption 
    • Password management
    • File naming and storage structure
  • Equipment policy
    • Personal use
    • Taking home
    • Installing software
    • Pirated software
    • Anti-Virus
    • Updates
    • Disposal of devices
  • Training
    • When does training happen?
    • How often?
    • Self-learning resources?
    • Funds for professional development
  • Employee leaving 
    • What to exptect when you leave the organization
    • Email access
    • Equipment handover
  • Incident Reporting
    • Security reports
    • Lost equipment
    • Infiltration
    • Virus/Hacking
  • Field Documentation and Reporting
    • Depends on methodology, but considers meta/exif data, physical exposure, mobile use, software tools, physical safety, travel

Security policy templates

In this page:


  • No labels