source Enterprise Ireland 

Many companies are becoming increasingly reliant on email and other Internet applications. More and more people are carrying invaluable data around in laptops, personal digital organisers etc. Employees, Customers, suppliers, contractors, and business partners are now routinely allowed access to critical business data and the systems that process and store it. This has created growing risks including:  

  • loosing valuable data;
  • the potentially serious consequences of unauthorised access to confidential data
  • the possibility of the business grinding to a halt due to the failure of computer systems which you now depend upon for your day to operations.

IT Security is thus vital. It needs to be addressed before you suffer problems. The only effective way to do this is to draw up a security policy. This beginner's guide is designed to highlight the basic considerations in developing such a policy.

  • Your policy should be designed to guard against a variety of threats to your IT security including: -
    • Internal and Unintentional (e.g. untrained workers),
    • Internal and Intentional (e.g. disgruntled employees)
    • External (e.g. hackers, laptop thieves) 
  • eSecurity is in many ways like physical security; it requires a mix of technology and procedures; it costs money; it can never be 100% effective; the challenge is to select the right level of security for your particular business
  • There are five primary steps to developing a good eSecurity programme and these are;
    • Analyse and assess your requirements
    • Design a policy with the right mix of technical, procedural and organisational controls- Implement the policy;  appoint an individual to take responsibility for it
    • Ensure security is an integral part of day-to-day activities.
    • Look for continuous improvement and keep abreast of changes in the security and business environments. 
  • Provide each employee with enough access to do their job but no more.
  • Consider the security implications before agreeing to allow customers, employees working from home etc. remote access to your IT system and before allowing staff to take laptops or other mobile devices outside the premises.
  • Have a clear policy in relation to the use of passwords e.g.: no sharing; no writing them on the computer; avoiding easy to guess passwords; changing them regularly; disabling them once an employee leaves etc.
  • Use System Monitoring Including Audit Trail and Logging.
  • Implement a clear Anti-virus policy buying Anti-Virus software solutions that allow real time upgrading of systems with anti-virus patches e.g. mcAfee, Symantec etc. and make sure they are updated.
  • Have a Disaster Recovery Plan and keep back-up information off-site.
  • Once you have drawn up a documented policy you must address the need to build awareness, train staff, record activity and review the security architecture as things change over time.
  • Finally just as with physical security, vigilance is vital to ensure people are not careless about the rules and do not get into the habit of taking short cuts, however, busy they may be.

full report