Get the most out of your Inc. online experience by registering and joining the Inc. community today. Get access to all Inc.com content and priority invites to free Inc. networking events in your area.

Login using:


Or login directly through Inc.com

Technology
November 10, 2008

The SMB Security Policy - Part 2

 

Last time I went over the first three basic steps to creating a sound security for your organization. Now that we've communicated with our organization, analyzed the business and its technology operation, and composed our policy, it is time to go through the last three phases to ensure smooth implementation, and ease acceptance as well as enforcement.

Step Four: Collaborate

We communicated the need, so now let's communicate the results – share the policy with all departments, not just the stakeholders. Start an open dialogue with the management and executive teams to ensure their acceptance of the policy. Tweaks prior to the policy's formal implementation will be needed, and that's okay. This is the step where those changes can be comfortably be made BEFORE the policy goes into effect organizationally. In my experience, collaborating with the entire organization helps dramatically with adoption as well as adherence.

Step Five: Implement

Plugging it all in is the hardest part – you can quote me on that! Implementing a real security policy can be tough, especially in situations where one didn't exist previously. Hopefully your collaboration effort and prior communications efforts helped soften the blow and get people prepared for the implementation of the policy.

Implementation within the IT organization should happen prior to the policy being brought to the employees. For the IT department, adoption should be simple, and should actually help define the operation; setting up parameters for operations that may not have existed prior to the development of the policy.

The steps you will need to take to get a policy implemented within your organization will differ depending on the business you're in. If you are in a business that offers services to other companies, and those services require you to handle the client's confidential information, you may need to develop a slightly less detailed and more targeted version of the security policy for the customer's usage. In most cases, presentations with employees and a presentation for HR to give to new employees (if your organization is large enough) will suffice. Again, communication wins the battle when it comes to implementing any type of control policy or framework in your organization.


Step Six: Evolve and Assess

This should go without saying – once you've completed your organization's new security policy, you are not done…on an annual basis, the policy should be evaluated, with amendments made to the policy. Sections should never be removed, but amended. This is important for continuity. Additionally the policy itself should contain information on how amendments are made; under what circumstances; and how those amendments are made in the policy itself.

Think of your new security policy as a living document, that should evolve as the business itself and the technology operation evolves. Your security policy may be 15 pages, or it may be 50 pages depending on the complexity of your organization, but size is not half as important as organization and content. Even if your business has only a dozen or so employees, the invocation of a security policy will help formalize the technologies your organization uses, which will help ensure the security of not only your company's information, but also the information of your customers.