IT security policies and their application

The computer security policies are rules that we have to comply with all personnel related to a company. This ensures the integrity, availability and privacy of the computer infrastructures and the information they contain.

This article explains what information security policies are and their practical applications in the company in different areas.

What are computer security policies?

IT security policies are formal statements of the rules to be followed by people who have access to an organization’s information and technology assets.

This is the definition according to RFC 2196 of the Internet Engineering Task Force (IETF) of 1997. This publication replaces the previous one of 1991, which shows how computer security is a priority that was born almost at the same time as the Internet.

There are two main groups of computer security policies:

They define what we need to avoid. These are behaviors and practices that can put systems and information at risk, such as opening suspicious files or links, sharing passwords, or using open Wi-Fi networks.

Those that define what we must always do, to maintain a correct level of protection and security. For example:

  • Encrypt sensitive files
  • Deploy backups
  • Use passwords and renew them periodically
  • Use VPN
  • Install antivirus and anti-malware software

Importance of computer security policies, what are they for?

Computer security policies arise as a response to the different security risks to which our systems are exposed:

  • Privacy of information and its protection against access by unauthorized persons such as hackers.
  • Data integrity, and its protection against corruption due to media failures or erasure.
  • Availability of services, against internal or external technical failures.

The goal of IT security policies is to provide all company personnel as well as users accessing their technology and information assets with the requirements and guidelines necessary to protect them.

These policies are also useful when auditing a company’s information systems.

IT security policies: advantages and disadvantages

IT and information security policies depend directly on the security objectives that our company has set for itself. Nowadays it is impossible to obtain a system that is completely secure and resilient against any type of threat or vulnerability.

It will therefore be necessary to determine whether our security policies will be more or less restrictive, which will involve a balance between advantages and disadvantages:

  • Services offered VS security: each service we provide to our users carries security risks, which sometimes exceed the benefits of the service, which can lead to the decision to remove it.
  • Usability VS security: the stricter the security measures, the less easy to use will be our systems and services. The most restrictive measures (such as multi-factor authentication) need to be carefully calibrated so that they are implemented only at the most critical points.
  • Cost VS risk: the implementation of security policies always entails a cost, both human (hiring expert personnel) and monetary (acquisition of hardware and software).

Characteristics of computer security policies

As we have seen, there are different IT security policies in companies according to the objectives and priorities of the company. However, all good IT security policies have these characteristics in common:

  • Concrete: they must be able to be implemented through clear procedures, rules and guidelines.
  • Clear: they must clearly define the responsibilities and obligations of the different types of users: staff, administrators and management.
  • Mandatory: compliance must be enforced, through security tools or sanctions.

Examples of computer security policies

There are different types of IT security policies depending on whether they are aimed at management, technical staff or employees.

In this sense, some examples of computer security policies are:nico or employees.

  • Guidelines for purchasing technologies and contracting services
  • Privacy in the use of work tools.
  • Access and authentication of users and the definition of rights and privileges.
  • Responsibility of different types of users.
  • Availability of systems and resources.
  • Notification of violations and security breaches.

The National Institute of Cybersecurity, makes available on its website the main computer security policies for an SME.

Conclusion on information security policies

IT security policies are a fundamental tool for companies of any type and size when it comes to making their staff aware of security risks and providing specific guidelines for action. However, to be effective, they must:

  • Written into documents that will be made available to all staff
  • Be flexible and periodically reviewed to adapt to different technological changes or company objectives.
  • Be fully supported by the management of the company, otherwise its adoption could be compromised.