SlideShare a Scribd company logo

Free_business_IT_security_policy_template_v5.pdf

K
klodianelezi1

It Security Policy template

Internet
1 of 10
Download to read offline
Free business IT security policy template
2 This template is as a starting point for smaller businesses and a prompt for discussion in larger firms. We strongly advise you to engage the whole business in your security plan, get professional support to implement it and obtain legal advice on any changes to company policies. An initial, free consultation with Pensar is a good place to start. Apply now Request your free IT security evaluation
• Reduce the risk of IT problems • Plan for problems and deal with them when they happen • Keep working if something does go wrong • Protect company, client and employee data • Keep valuable company information, such as plans and designs, secret • Meet our legal obligations under the General Data Protection Regulation and other laws • Meet our professional obligations towards our clients and customers This IT security policy helps us: 3 Introduction Responsibilities IT security problems can be expensive and time-consuming to resolve. Prevention is much better than cure. • [NAME] is the director with overall responsibility for IT security strategy. • [NAME] has day-to-day operational responsibility for implementing this policy. • [NAME] is the IT partner organisation we use to help with our planning and support. • [NAME] is the data protection officer to advise on data protection laws and best practices Review process We will review this policy [FREQUENCY]. In the meantime, if you have any questions, suggestions or feedback, please contact [NAME, EMAIL, PHONE].
4 We will only classify information which is necessary for the completion of our duties. We will also limit access to personal data to only those that need it for processing. We classify information into different categories so that we can ensure that it is protected properly and that we allocate security resources appropriately: • Unclassified. This is information that can be made public without any implications for the company, such as information that is already in the public domain. • Employee confidential. This includes information such as medical records, pay and so on. • Company confidential. Such as contracts, source code, business plans, passwords for critical IT systems, client contact records, accounts etc. • Client confidential. This includes personally identifiable information such as name or address, passwords to client systems, client business plans, new product information, market sensitive information etc. • [OTHER CLASSIFICATIONS AS REQUIRED] We have categorised the information we keep as follows: Information classification Type of information Systems involved Classification level e.g. customer records e.g. Salesforce CRM e.g. Company confidential The deliberate or accidental disclosure of any confidential information has the potential to harm the business. This policy is designed to minimise that risk. [Optional: We do not protectively mark documents and systems. Therefore, you should assume information is confidential unless you are sure it is not and act accordingly.]
5 As for client information, we operate in compliance with the GDPR ‘Right to Access’. This is the right of data subjects to obtain confirmation as to whether we are processing their data, where we are processing it and for what purpose. Further, we shall provide, upon request, a copy of their personal data, free of charge in an electronic format. We also allow data subjects to transmit their own personal data to another controller. However, in general, to protect confidential information we implement the following access controls: • Company confidential [ADD CONTROL MEASURES, LIST SENSITIVE SYSTEMS, IDENTIFY TRUSTED ADMIN USERS]. • Client confidential [ADD CONTROL MEASURES, LIST SENSITIVE SYSTEMS, IDENTIFY TRUSTED ADMIN USERS]. • Employee confidential. [ADD CONTROL MEASURES, LIST SENSITIVE SYSTEMS, IDENTIFY TRUSTED ADMIN USERS]. • In addition, admin privileges to company systems will be restricted to specific, authorised individuals for the proper performance of their duties as follows: [IDENTIFY ADMIN USERS AND THE SCOPE OF THEIR POWER]. Access controls Internally, as far as possible, we operate on a ‘need to share’ rather than a ‘need to know’ basis with respect to company confidential information. This means that our bias and intention is to share information to help people do their jobs rather than raise barriers to access needlessly.
6 To protect our data, systems, users and customers we use the following systems: • Laptop and desktop anti-malware [NAME, LICENCE DETAILS] • Server anti-malware [NAME, LICENCE DETAILS] • Cloud-hosted email spam, malware and content filtering [NAME, LICENCE DETAILS] • Email archiving and continuity [NAME, LICENCE DETAILS] • Website malware and vulnerability scanning [NAME, LICENCE DETAILS] • Intrusion detection and prevention [NAME, LICENCE DETAILS] • Desktop firewall [NAME, LICENCE DETAILS] • Perimeter firewall [NAME, LICENCE DETAILS] Security software When a new employee joins the company, we will add them to the following systems: • [SYSTEM, DEFAULT ACCESS LEVEL, ACCESS VARIATIONS BY JOB ROLE] • [SYSTEM, DEFAULT ACCESS LEVEL, ACCESS VARIATIONS BY JOB ROLE] • [SYSTEM, DEFAULT ACCESS LEVEL, ACCESS VARIATIONS BY JOB ROLE] • [SYSTEM, DEFAULT ACCESS LEVEL, ACCESS VARIATIONS BY JOB ROLE] Employees joining and leaving We will provide training to new staff and support for existing staff to implement this policy. This includes: • An initial introduction to IT security, covering the risks, basic security measures, company policies and where to get help • Each employee will complete the National Archives ‘Responsible for Information’ training course (approximately 75 minutes) • Training on how to use company systems and security software properly • On request, a security health check on their computer, tablet or phone When people leave a project or leave the company, we will promptly revoke their access privileges to company systems.
7 Effective security is a team effort requiring the participation and support of every employee and associate. It is your responsibility to know and follow these guidelines. You are personally responsible for the secure handling of confidential information that is entrusted to you. You may access, use or share confidential information only to the extent it is authorised and necessary for the proper performance of your duties. Promptly report any theft, loss or unauthorised disclosure of protected information or any breach of this policy to [NAME]. It is also your responsibility to use your devices (computer, phone, tablet etc.) in a secure way. However, we will provide training and support to enable you to do so (see below). At a minimum: • Remove software that you do not use or need from your computer • Update your operating system and applications regularly • Keep your computer firewall switched on • For Windows users, make sure you install anti-malware software (or use the built-in Windows Defender) and keep it up to date. For Mac users, consider getting anti-malware software. • Store files in official company storage locations so that it is backed up properly and available in an emergency. • Switch on whole disk encryption • Understand the privacy and security settings on your phone and social media accounts • Have separate user accounts for other people, including other family members, if they use your computer. Ideally, keep your work computer separate from any family or shared computers. • Don’t use an administrator account on your computer for everyday use • Make sure your computer and phone logs out automatically after 15 minutes and requires a password to log back in. Your responsibilities Protecting your own device(s)
• Change default passwords and PINs on computers, phones and all network devices • Consider using password management software • Don’t share your password with other people or disclose it to anyone else • Don’t write down PINs and passwords next to computers and phones • Use strong passwords • Change them regularly • Don’t use the same password for multiple critical systems Password guidelines Be alert to other security risks While technology can prevent many security incidents, your actions and habits are also important. With this in mind: • Take time to learn about IT security and keep yourself informed. Get Safe Online is a good source for general awareness • Use extreme caution when opening email attachments from unknown senders or unexpected attachments from any sender. 8
• Be on guard against social engineering, such as attempts by outsiders to persuade you to disclose confidential information, including employee, client or company confidential information. Fraudsters and hackers can be extremely persuasive and manipulative. • Be wary of fake websites and phishing emails. Don’t click on links in emails or social media. Don’t disclose passwords and other confidential information unless you are sure you are on a legitimate website. • Use social media, including personal blogs, in a professional and responsible way, without violating company policies or disclosing confidential information. • Take particular care of your computer and mobile devices when you are away from home or out of the office. • If you leave the company, you will return any company property, transfer any company work-related files back to the company and delete all confidential information from your systems as soon as is practicable. • Where confidential information is stored on paper, it should be kept in a secure place where unauthorised people cannot see it and shredded when no longer required. The following things (among others) are, in general, prohibited on company systems and while carrying out your duties for the company and may result in disciplinary action: • Anything that contradicts our equality and diversity policy, including harassment. • Circumventing user authentication or security of any system, network or account. • Downloading or installing pirated software. • Disclosure of confidential information at any time. 9 Backup, disaster recovery and continuity This is how we backup our business-critical systems. • [SYSTEM NAME, BACKUP MECHANISM, FREQUENCY OF BACKUP, RECOVERY TIME OBJECTIVE, RECOVERY POINT OBJECTIVE, FREQUENCY OF TEST RESTORES] • [SYSTEM NAME, BACKUP MECHANISM, FREQUENCY OF BACKUP, RECOVERY TIME OBJECTIVE, RECOVERY POINT OBJECTIVE, FREQUENCY OF TEST RESTORES] • [SYSTEM NAME, BACKUP MECHANISM, FREQUENCY OF BACKUP, RECOVERY TIME OBJECTIVE, RECOVERY POINT OBJECTIVE, FREQUENCY OF TEST RESTORES] 9
10 This is how we will respond to potential interruptions to our business: • [FOR EACH ITEM INCLUDE: WHO TO ALERT, INITIAL RESPONSE, RECOVERY ACTION STEPS, SOURCES OF SUPPORT AND ADVICE] • Severe transport disruption • Unable to access office because of flood, fire, civil disorder, terrorist incident etc. • Loss of internet and/or phone connection • Loss or theft of critical systems We will test these contingency plans at least once a year. This is how we will respond to IT security issues: • Malware infection detected by scanners • Ransomware • System failure • Attempted social engineering • Data loss or theft Under the GDPR, where a data breach is likely to result in a ‘risk for the rights and freedoms of individuals’ we must notify the customers and data controllers ‘without undue delay’. We will ensure we inform them within 72 hours. [FOR EACH ISSUE INCLUDE CONTACT DETAILS AND, WHERE RELEVANT, SUPPORT CONTRACT DETAILS AND OTHER INFORMATION NECESSARY TO A SPEEDY RESPONSE] Appointment of a Data Protection Officer [IF APPLICABLE] The Data Protection Officer will be appointed on their professional qualities and expert knowledge on data protection law and practices. This can be a staff member or an external service provider. Either way, we will provide contact details to the relevant data protection authorities. The company will ensure the data protection office is given all appropriate resources to carry out their tasks and maintain their expert knowledge. The Data Protection Officer reports directly to the highest level of management and must not carry out any other tasks that could result in a conflict of interest.

Recommended

Securing your digital world - Cybersecurity for SBEs
Securing your digital world - Cybersecurity for SBEsSecuring your digital world - Cybersecurity for SBEs
Securing your digital world - Cybersecurity for SBEsSonny Hashmi
 
Securing your digital world cybersecurity for sb es
Securing your digital world cybersecurity for sb esSecuring your digital world cybersecurity for sb es
Securing your digital world cybersecurity for sb esSonny Hashmi
 
Presentation 10.pptx
Presentation 10.pptxPresentation 10.pptx
Presentation 10.pptxmishogelashvili28
 
iSchoolConnect_Information Security User Awareness Training_16th Nov 2021.ppt...
iSchoolConnect_Information Security User Awareness Training_16th Nov 2021.ppt...iSchoolConnect_Information Security User Awareness Training_16th Nov 2021.ppt...
iSchoolConnect_Information Security User Awareness Training_16th Nov 2021.ppt...RIYAJAIN179446
 
IT Policy
IT PolicyIT Policy
IT PolicySherri Booher
 
ISMS Awareness Training (2) (1).pptx
ISMS Awareness Training (2) (1).pptxISMS Awareness Training (2) (1).pptx
ISMS Awareness Training (2) (1).pptxvasidharta
 
08 pdf show-239
08 pdf show-23908 pdf show-239
08 pdf show-239#TheFraudTube
 
NameIn this assignment, you must answer the Answer Implying .docx
NameIn this assignment, you must answer the Answer Implying .docxNameIn this assignment, you must answer the Answer Implying .docx
NameIn this assignment, you must answer the Answer Implying .docxgemaherd
 

Recommended

Securing your digital world - Cybersecurity for SBEs
Securing your digital world - Cybersecurity for SBEsSecuring your digital world - Cybersecurity for SBEs
Securing your digital world - Cybersecurity for SBEsSonny Hashmi
 
Securing your digital world cybersecurity for sb es
Securing your digital world cybersecurity for sb esSecuring your digital world cybersecurity for sb es
Securing your digital world cybersecurity for sb esSonny Hashmi
 
Presentation 10.pptx
Presentation 10.pptxPresentation 10.pptx
Presentation 10.pptxmishogelashvili28
 
iSchoolConnect_Information Security User Awareness Training_16th Nov 2021.ppt...
iSchoolConnect_Information Security User Awareness Training_16th Nov 2021.ppt...iSchoolConnect_Information Security User Awareness Training_16th Nov 2021.ppt...
iSchoolConnect_Information Security User Awareness Training_16th Nov 2021.ppt...RIYAJAIN179446
 
IT Policy
IT PolicyIT Policy
IT PolicySherri Booher
 
ISMS Awareness Training (2) (1).pptx
ISMS Awareness Training (2) (1).pptxISMS Awareness Training (2) (1).pptx
ISMS Awareness Training (2) (1).pptxvasidharta
 
08 pdf show-239
08 pdf show-23908 pdf show-239
08 pdf show-239#TheFraudTube
 
NameIn this assignment, you must answer the Answer Implying .docx
NameIn this assignment, you must answer the Answer Implying .docxNameIn this assignment, you must answer the Answer Implying .docx
NameIn this assignment, you must answer the Answer Implying .docxgemaherd
 
Harshit security
Harshit securityHarshit security
Harshit securityHarshitGupta435
 
6 Biggest Cyber Security Risks and How You Can Fight Back
6 Biggest Cyber Security Risks and How You Can Fight Back6 Biggest Cyber Security Risks and How You Can Fight Back
6 Biggest Cyber Security Risks and How You Can Fight BackMTG IT Professionals
 
it-security.ppt
it-security.pptit-security.ppt
it-security.pptAmanSoni665879
 
Information Security Awareness Training Open
Information Security Awareness Training OpenInformation Security Awareness Training Open
Information Security Awareness Training OpenFred Beck MBA, CPA
 
Sample Data Security PoliciesThis document provides three ex.docx
Sample Data Security PoliciesThis document provides three ex.docxSample Data Security PoliciesThis document provides three ex.docx
Sample Data Security PoliciesThis document provides three ex.docxrtodd599
 
Mis
MisMis
Mismisecho
 
Chapter 10, part 1
Chapter 10, part 1Chapter 10, part 1
Chapter 10, part 1misecho
 
Need for having Security, Email & Internet Usage Policy in Companies - Legal ...
Need for having Security, Email & Internet Usage Policy in Companies - Legal ...Need for having Security, Email & Internet Usage Policy in Companies - Legal ...
Need for having Security, Email & Internet Usage Policy in Companies - Legal ...Vijay Dalmia
 
cybersecurity
cybersecurity cybersecurity
cybersecurity AkshaySajith3
 
En msft-scrty-cntnt-e book-protectyourdata
En msft-scrty-cntnt-e book-protectyourdataEn msft-scrty-cntnt-e book-protectyourdata
En msft-scrty-cntnt-e book-protectyourdataOnline Business
 
insider threat research
insider threat researchinsider threat research
insider threat researchAsma Al-maskaria
 
Lock it or Lose It: Why Every Company Should be Concerned About Data Security
Lock it or Lose It: Why Every Company Should be Concerned About Data SecurityLock it or Lose It: Why Every Company Should be Concerned About Data Security
Lock it or Lose It: Why Every Company Should be Concerned About Data SecuritySmartCompliance
 
4 it-security.ppt
4 it-security.ppt4 it-security.ppt
4 it-security.pptDevenderDahiya9
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2TechSoup Canada
 
Group presentation for Information Security Class.
Group presentation for Information Security Class.Group presentation for Information Security Class.
Group presentation for Information Security Class.Ashley Clark
 
Jms secure data presentation
Jms secure data presentationJms secure data presentation
Jms secure data presentationJMS Secure Data
 
IT Policy
IT PolicyIT Policy
IT PolicySensewareInfomedia
 
Security 101 for No- techies
Security 101 for No- techiesSecurity 101 for No- techies
Security 101 for No- techiesBrenton Johnson
 
TECHNIQUES DATA PRO.pptx
TECHNIQUES DATA PRO.pptxTECHNIQUES DATA PRO.pptx
TECHNIQUES DATA PRO.pptxHAFIDHISAIDI1
 
Securing Mobile Devices in the Workplace - Six Tips For Midsize Businesses
Securing Mobile Devices in the Workplace - Six Tips For Midsize BusinessesSecuring Mobile Devices in the Workplace - Six Tips For Midsize Businesses
Securing Mobile Devices in the Workplace - Six Tips For Midsize BusinessesMidmarketIBM
 
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service PuneVIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service PuneCall girls in Ahmedabad High profile
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebJames Anderson
 

More Related Content

Similar to Free_business_IT_security_policy_template_v5.pdf

6 Biggest Cyber Security Risks and How You Can Fight Back
6 Biggest Cyber Security Risks and How You Can Fight Back6 Biggest Cyber Security Risks and How You Can Fight Back
6 Biggest Cyber Security Risks and How You Can Fight BackMTG IT Professionals
 
Information Security Awareness Training Open
Information Security Awareness Training OpenInformation Security Awareness Training Open
Information Security Awareness Training OpenFred Beck MBA, CPA
 
Sample Data Security PoliciesThis document provides three ex.docx
Sample Data Security PoliciesThis document provides three ex.docxSample Data Security PoliciesThis document provides three ex.docx
Sample Data Security PoliciesThis document provides three ex.docxrtodd599
 
Chapter 10, part 1
Chapter 10, part 1Chapter 10, part 1
Chapter 10, part 1misecho
 
Need for having Security, Email & Internet Usage Policy in Companies - Legal ...
Need for having Security, Email & Internet Usage Policy in Companies - Legal ...Need for having Security, Email & Internet Usage Policy in Companies - Legal ...
Need for having Security, Email & Internet Usage Policy in Companies - Legal ...Vijay Dalmia
 
En msft-scrty-cntnt-e book-protectyourdata
En msft-scrty-cntnt-e book-protectyourdataEn msft-scrty-cntnt-e book-protectyourdata
En msft-scrty-cntnt-e book-protectyourdataOnline Business
 
Lock it or Lose It: Why Every Company Should be Concerned About Data Security
Lock it or Lose It: Why Every Company Should be Concerned About Data SecurityLock it or Lose It: Why Every Company Should be Concerned About Data Security
Lock it or Lose It: Why Every Company Should be Concerned About Data SecuritySmartCompliance
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2TechSoup Canada
 
Group presentation for Information Security Class.
Group presentation for Information Security Class.Group presentation for Information Security Class.
Group presentation for Information Security Class.Ashley Clark
 
Jms secure data presentation
Jms secure data presentationJms secure data presentation
Jms secure data presentationJMS Secure Data
 
Security 101 for No- techies
Security 101 for No- techiesSecurity 101 for No- techies
Security 101 for No- techiesBrenton Johnson
 
TECHNIQUES DATA PRO.pptx
TECHNIQUES DATA PRO.pptxTECHNIQUES DATA PRO.pptx
TECHNIQUES DATA PRO.pptxHAFIDHISAIDI1
 
Securing Mobile Devices in the Workplace - Six Tips For Midsize Businesses
Securing Mobile Devices in the Workplace - Six Tips For Midsize BusinessesSecuring Mobile Devices in the Workplace - Six Tips For Midsize Businesses
Securing Mobile Devices in the Workplace - Six Tips For Midsize BusinessesMidmarketIBM
 

Similar to Free_business_IT_security_policy_template_v5.pdf (20)

Harshit security
Harshit securityHarshit security
Harshit security
 
6 Biggest Cyber Security Risks and How You Can Fight Back
6 Biggest Cyber Security Risks and How You Can Fight Back6 Biggest Cyber Security Risks and How You Can Fight Back
6 Biggest Cyber Security Risks and How You Can Fight Back
 
it-security.ppt
it-security.pptit-security.ppt
it-security.ppt
 
Information Security Awareness Training Open
Information Security Awareness Training OpenInformation Security Awareness Training Open
Information Security Awareness Training Open
 
Sample Data Security PoliciesThis document provides three ex.docx
Sample Data Security PoliciesThis document provides three ex.docxSample Data Security PoliciesThis document provides three ex.docx
Sample Data Security PoliciesThis document provides three ex.docx
 
Mis
MisMis
Mis
 
Chapter 10, part 1
Chapter 10, part 1Chapter 10, part 1
Chapter 10, part 1
 
Need for having Security, Email & Internet Usage Policy in Companies - Legal ...
Need for having Security, Email & Internet Usage Policy in Companies - Legal ...Need for having Security, Email & Internet Usage Policy in Companies - Legal ...
Need for having Security, Email & Internet Usage Policy in Companies - Legal ...
 
cybersecurity
cybersecurity cybersecurity
cybersecurity
 
En msft-scrty-cntnt-e book-protectyourdata
En msft-scrty-cntnt-e book-protectyourdataEn msft-scrty-cntnt-e book-protectyourdata
En msft-scrty-cntnt-e book-protectyourdata
 
insider threat research
insider threat researchinsider threat research
insider threat research
 
Lock it or Lose It: Why Every Company Should be Concerned About Data Security
Lock it or Lose It: Why Every Company Should be Concerned About Data SecurityLock it or Lose It: Why Every Company Should be Concerned About Data Security
Lock it or Lose It: Why Every Company Should be Concerned About Data Security
 
4 it-security.ppt
4 it-security.ppt4 it-security.ppt
4 it-security.ppt
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
 
Group presentation for Information Security Class.
Group presentation for Information Security Class.Group presentation for Information Security Class.
Group presentation for Information Security Class.
 
Jms secure data presentation
Jms secure data presentationJms secure data presentation
Jms secure data presentation
 
IT Policy
IT PolicyIT Policy
IT Policy
 
Security 101 for No- techies
Security 101 for No- techiesSecurity 101 for No- techies
Security 101 for No- techies
 
TECHNIQUES DATA PRO.pptx
TECHNIQUES DATA PRO.pptxTECHNIQUES DATA PRO.pptx
TECHNIQUES DATA PRO.pptx
 
Securing Mobile Devices in the Workplace - Six Tips For Midsize Businesses
Securing Mobile Devices in the Workplace - Six Tips For Midsize BusinessesSecuring Mobile Devices in the Workplace - Six Tips For Midsize Businesses
Securing Mobile Devices in the Workplace - Six Tips For Midsize Businesses
 

Recently uploaded

VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service PuneVIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service PuneCall girls in Ahmedabad High profile
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebJames Anderson
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Servicegwenoracqe6
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...Diya Sharma
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaimessage0108
 
Radiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsRadiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsstephieert
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxellan12
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...aditipandeya
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts servicevipmodelshub1
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersDamian Radcliffe
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$kojalkojal131
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Delhi Call girls
 

Recently uploaded (20)

VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service PuneVIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of india
 
Radiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsRadiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girls
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
 
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICECall Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girls
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
 

Free_business_IT_security_policy_template_v5.pdf

  • 1. Free business IT security policy template
  • 2. 2 This template is as a starting point for smaller businesses and a prompt for discussion in larger firms. We strongly advise you to engage the whole business in your security plan, get professional support to implement it and obtain legal advice on any changes to company policies. An initial, free consultation with Pensar is a good place to start. Apply now Request your free IT security evaluation
  • 3. • Reduce the risk of IT problems • Plan for problems and deal with them when they happen • Keep working if something does go wrong • Protect company, client and employee data • Keep valuable company information, such as plans and designs, secret • Meet our legal obligations under the General Data Protection Regulation and other laws • Meet our professional obligations towards our clients and customers This IT security policy helps us: 3 Introduction Responsibilities IT security problems can be expensive and time-consuming to resolve. Prevention is much better than cure. • [NAME] is the director with overall responsibility for IT security strategy. • [NAME] has day-to-day operational responsibility for implementing this policy. • [NAME] is the IT partner organisation we use to help with our planning and support. • [NAME] is the data protection officer to advise on data protection laws and best practices Review process We will review this policy [FREQUENCY]. In the meantime, if you have any questions, suggestions or feedback, please contact [NAME, EMAIL, PHONE].
  • 4. 4 We will only classify information which is necessary for the completion of our duties. We will also limit access to personal data to only those that need it for processing. We classify information into different categories so that we can ensure that it is protected properly and that we allocate security resources appropriately: • Unclassified. This is information that can be made public without any implications for the company, such as information that is already in the public domain. • Employee confidential. This includes information such as medical records, pay and so on. • Company confidential. Such as contracts, source code, business plans, passwords for critical IT systems, client contact records, accounts etc. • Client confidential. This includes personally identifiable information such as name or address, passwords to client systems, client business plans, new product information, market sensitive information etc. • [OTHER CLASSIFICATIONS AS REQUIRED] We have categorised the information we keep as follows: Information classification Type of information Systems involved Classification level e.g. customer records e.g. Salesforce CRM e.g. Company confidential The deliberate or accidental disclosure of any confidential information has the potential to harm the business. This policy is designed to minimise that risk. [Optional: We do not protectively mark documents and systems. Therefore, you should assume information is confidential unless you are sure it is not and act accordingly.]
  • 5. 5 As for client information, we operate in compliance with the GDPR ‘Right to Access’. This is the right of data subjects to obtain confirmation as to whether we are processing their data, where we are processing it and for what purpose. Further, we shall provide, upon request, a copy of their personal data, free of charge in an electronic format. We also allow data subjects to transmit their own personal data to another controller. However, in general, to protect confidential information we implement the following access controls: • Company confidential [ADD CONTROL MEASURES, LIST SENSITIVE SYSTEMS, IDENTIFY TRUSTED ADMIN USERS]. • Client confidential [ADD CONTROL MEASURES, LIST SENSITIVE SYSTEMS, IDENTIFY TRUSTED ADMIN USERS]. • Employee confidential. [ADD CONTROL MEASURES, LIST SENSITIVE SYSTEMS, IDENTIFY TRUSTED ADMIN USERS]. • In addition, admin privileges to company systems will be restricted to specific, authorised individuals for the proper performance of their duties as follows: [IDENTIFY ADMIN USERS AND THE SCOPE OF THEIR POWER]. Access controls Internally, as far as possible, we operate on a ‘need to share’ rather than a ‘need to know’ basis with respect to company confidential information. This means that our bias and intention is to share information to help people do their jobs rather than raise barriers to access needlessly.
  • 6. 6 To protect our data, systems, users and customers we use the following systems: • Laptop and desktop anti-malware [NAME, LICENCE DETAILS] • Server anti-malware [NAME, LICENCE DETAILS] • Cloud-hosted email spam, malware and content filtering [NAME, LICENCE DETAILS] • Email archiving and continuity [NAME, LICENCE DETAILS] • Website malware and vulnerability scanning [NAME, LICENCE DETAILS] • Intrusion detection and prevention [NAME, LICENCE DETAILS] • Desktop firewall [NAME, LICENCE DETAILS] • Perimeter firewall [NAME, LICENCE DETAILS] Security software When a new employee joins the company, we will add them to the following systems: • [SYSTEM, DEFAULT ACCESS LEVEL, ACCESS VARIATIONS BY JOB ROLE] • [SYSTEM, DEFAULT ACCESS LEVEL, ACCESS VARIATIONS BY JOB ROLE] • [SYSTEM, DEFAULT ACCESS LEVEL, ACCESS VARIATIONS BY JOB ROLE] • [SYSTEM, DEFAULT ACCESS LEVEL, ACCESS VARIATIONS BY JOB ROLE] Employees joining and leaving We will provide training to new staff and support for existing staff to implement this policy. This includes: • An initial introduction to IT security, covering the risks, basic security measures, company policies and where to get help • Each employee will complete the National Archives ‘Responsible for Information’ training course (approximately 75 minutes) • Training on how to use company systems and security software properly • On request, a security health check on their computer, tablet or phone When people leave a project or leave the company, we will promptly revoke their access privileges to company systems.
  • 7. 7 Effective security is a team effort requiring the participation and support of every employee and associate. It is your responsibility to know and follow these guidelines. You are personally responsible for the secure handling of confidential information that is entrusted to you. You may access, use or share confidential information only to the extent it is authorised and necessary for the proper performance of your duties. Promptly report any theft, loss or unauthorised disclosure of protected information or any breach of this policy to [NAME]. It is also your responsibility to use your devices (computer, phone, tablet etc.) in a secure way. However, we will provide training and support to enable you to do so (see below). At a minimum: • Remove software that you do not use or need from your computer • Update your operating system and applications regularly • Keep your computer firewall switched on • For Windows users, make sure you install anti-malware software (or use the built-in Windows Defender) and keep it up to date. For Mac users, consider getting anti-malware software. • Store files in official company storage locations so that it is backed up properly and available in an emergency. • Switch on whole disk encryption • Understand the privacy and security settings on your phone and social media accounts • Have separate user accounts for other people, including other family members, if they use your computer. Ideally, keep your work computer separate from any family or shared computers. • Don’t use an administrator account on your computer for everyday use • Make sure your computer and phone logs out automatically after 15 minutes and requires a password to log back in. Your responsibilities Protecting your own device(s)
  • 8. • Change default passwords and PINs on computers, phones and all network devices • Consider using password management software • Don’t share your password with other people or disclose it to anyone else • Don’t write down PINs and passwords next to computers and phones • Use strong passwords • Change them regularly • Don’t use the same password for multiple critical systems Password guidelines Be alert to other security risks While technology can prevent many security incidents, your actions and habits are also important. With this in mind: • Take time to learn about IT security and keep yourself informed. Get Safe Online is a good source for general awareness • Use extreme caution when opening email attachments from unknown senders or unexpected attachments from any sender. 8
  • 9. • Be on guard against social engineering, such as attempts by outsiders to persuade you to disclose confidential information, including employee, client or company confidential information. Fraudsters and hackers can be extremely persuasive and manipulative. • Be wary of fake websites and phishing emails. Don’t click on links in emails or social media. Don’t disclose passwords and other confidential information unless you are sure you are on a legitimate website. • Use social media, including personal blogs, in a professional and responsible way, without violating company policies or disclosing confidential information. • Take particular care of your computer and mobile devices when you are away from home or out of the office. • If you leave the company, you will return any company property, transfer any company work-related files back to the company and delete all confidential information from your systems as soon as is practicable. • Where confidential information is stored on paper, it should be kept in a secure place where unauthorised people cannot see it and shredded when no longer required. The following things (among others) are, in general, prohibited on company systems and while carrying out your duties for the company and may result in disciplinary action: • Anything that contradicts our equality and diversity policy, including harassment. • Circumventing user authentication or security of any system, network or account. • Downloading or installing pirated software. • Disclosure of confidential information at any time. 9 Backup, disaster recovery and continuity This is how we backup our business-critical systems. • [SYSTEM NAME, BACKUP MECHANISM, FREQUENCY OF BACKUP, RECOVERY TIME OBJECTIVE, RECOVERY POINT OBJECTIVE, FREQUENCY OF TEST RESTORES] • [SYSTEM NAME, BACKUP MECHANISM, FREQUENCY OF BACKUP, RECOVERY TIME OBJECTIVE, RECOVERY POINT OBJECTIVE, FREQUENCY OF TEST RESTORES] • [SYSTEM NAME, BACKUP MECHANISM, FREQUENCY OF BACKUP, RECOVERY TIME OBJECTIVE, RECOVERY POINT OBJECTIVE, FREQUENCY OF TEST RESTORES] 9
  • 10. 10 This is how we will respond to potential interruptions to our business: • [FOR EACH ITEM INCLUDE: WHO TO ALERT, INITIAL RESPONSE, RECOVERY ACTION STEPS, SOURCES OF SUPPORT AND ADVICE] • Severe transport disruption • Unable to access office because of flood, fire, civil disorder, terrorist incident etc. • Loss of internet and/or phone connection • Loss or theft of critical systems We will test these contingency plans at least once a year. This is how we will respond to IT security issues: • Malware infection detected by scanners • Ransomware • System failure • Attempted social engineering • Data loss or theft Under the GDPR, where a data breach is likely to result in a ‘risk for the rights and freedoms of individuals’ we must notify the customers and data controllers ‘without undue delay’. We will ensure we inform them within 72 hours. [FOR EACH ISSUE INCLUDE CONTACT DETAILS AND, WHERE RELEVANT, SUPPORT CONTRACT DETAILS AND OTHER INFORMATION NECESSARY TO A SPEEDY RESPONSE] Appointment of a Data Protection Officer [IF APPLICABLE] The Data Protection Officer will be appointed on their professional qualities and expert knowledge on data protection law and practices. This can be a staff member or an external service provider. Either way, we will provide contact details to the relevant data protection authorities. The company will ensure the data protection office is given all appropriate resources to carry out their tasks and maintain their expert knowledge. The Data Protection Officer reports directly to the highest level of management and must not carry out any other tasks that could result in a conflict of interest.