For a majority of small organisations, security policies will make a big difference when something goes wrong. Security policies can not only set the intentions for strategic thinking but all expected behaviour, how to handle certain incidents, etc. In some respects they may end up being as much for all other stakeholder groups for the organisation, including, employees, directors, customers, regulators, investors, etc. So, it is not only important to have them, but to ensure that you have good coverage for your Organisation.
This is an edited transcript from a video blog recording of Sarb Sembhi, CTO and the CISO for Virtually Informed, and his co-host Nick Ioannou, Director of Boolean Logic.
Introduction to security policies for Small Organisations
Today we are looking at why Small Organisations should have security policies. We often get asked, "do we need to have security policies as a Small Organisation?" Or, "what's the point of them?" Or, "we're not a big enough organisation." Or, "what difference would it make to anyone, if we had policies?"
Why have security policies in a Small Organnisation?
There are many benefits for Small Organisations to have security policies, including:
- Providing guidance for employees
- Clarify issues for human resources
- Attract large enterprise customers
- Saving time for when policies are requested by customers, funders, or partners, etc.
- Help with clarifying the importance of security to regulators if the organisations are investigated.
But before going into the benefits, let’s take a quick look at some of the policies we are suggesting and why they are useful.
"Having policies for employees ... provides guidance on how the organisation views security."
Security policy suggestions
We will explore security policies in more detail another time, but the most important security policies all Small Organisations should have include, an Email Policy, an Internet Use Policy and a Data Protection Policy. Because staff data is a big part of the information that Organisations hold a lot of, when it comes to highly detailed personal information, including medical information, tax, addresses, contact numbers, next of kin; basically, it's all there.
On top of those three, there needs to be an overall Security Policy, which covers all the things that are necessary from any user perspective, like passwords, social media, email, what they can and cannot do, etc. Then finally, depending on the sector the Organisation is in, there may be a need for policies around employee responsibilities related to data protection, or even one that relate to some of the standards that will be used to ensure security, for example. encryption, etc.
This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.