To help you get a jumpstart on writing your security policies, we include two sample policies in the sidebars "A sample corporate antivirus policy" and "A sample mobile device usage policy," in this chapter. Feel free to use these policies, or policy templates that you find on the Web, and fill in the needs of your organization.
Your security guidelines specify how to
Put a policy into action.
Define who has responsibility for deployment of the technologies required to support the policy.
Decide what the systems or users do if there is a breach in the security policy.
Take recourse when policies have been violated.
Assign responsibility for correcting the issue.
Establish a timeline for an action such as "all viruses outbreaks will be investigated and a plan put in place within 24 hours of the first reported infection."
A sample corporate antivirus policy
Overview: This policy describes the Company XYZ policy on antivirus applications. Included in this policy are guidelines specifying antivirus updates, scan intervals, and recommended antivirus applications. It also specifies e-mail antivirus policies — blocked attachments, network antivirus scanning, and anti-spam techniques.
Purpose: This policy has been designed to protect Company XYZ from the ongoing threat of viruses, worms, and other forms of malware.
Policy:
All corporate managed laptops must have the corporate standard antivirus application installed and running at all times. This software is installed as part of the standard corporate operating system and must at no point be tampered with, uninstalled, or disabled.
Antivirus definition files must be updated on a regular basis. The desktop application group will define an update mechanism and schedule for antivirus software updates. At no point should any employee interfere with the regular update of the antivirus software.
System real-time protection must be running at all times. Full-disk system scans must be run on a regular schedule of not less than one time per week.
Any user who suspects that his or her machine has been compromised with a virus or any other form of malware must immediately inform the helpdesk for corrective action to be taken.
Users must take care not to download suspicious or unknown files from any source, including e-mails, file servers, and Web sites.
All incoming e-mail will be scanned for viruses by the corporate network antivirus server prior to being processed. If a virus is found, the policy is to immediately delete the attachment and notify the intended recipient of the action taken. A separate list of permanently blocked attachments is updated and maintained by the IT security group.
Depending on the size of your organization, you might have more or less thorough and detailed policies. If your company is large, you might need formal procedures. For a smaller company, you might simply be able to establish a common understanding among employees, although we recommend documentation as a best practice for recording procedures, regardless of the size of your organization.
A sample mobile device usage policy
Overview: This policy describes the Company XYZ policy on mobile device usage. A mobile device is any PDA, smartphone, or other portable device that has the ability to access the corporate network and is able to store sensitive corporate data.
Purpose: This policy has been designed to ensure that Company XYZ employees protect mobile devices and corporate data from theft and loss.
Policy:
All devices used by Company XYZ employees to access any corporate data must be approved by IT security and the employee's manager prior to being used.
All devices must be from the available list of approved mobile devices. Under no circumstances will non-approved devices be allowed.
All devices must have the corporate-approved full-disk encryption and remote device disk-wipe protection package installed and running at all times.
Employees must employ all reasonable means to ensure that mobile devices are not lost or stolen, which requires extra diligence on the part of every employee to mitigate carelessness.
Sensitive corporate data must not be downloaded to mobile devices. Data access is restricted to corporate e-mail, the corporate CRM application, and the company intranet. Sensitive attachments received via e-mail must not be stored permanently to the device disk drive or to any removable media.
Employees must immediately report any lost or stolen devices to the helpdesk.
Any requests for exception to this policy must be approved by Company XYZ's IT security.
