Building a Company Security Policy
Written by Geoff Newman on 7/23/2010
There are threats everywhere in the world, but in the case of organisations it is important to focus on the threats and resulting risks particular to each business. Recognising security risks is a step towards recognising the wider risks in a business, and therefore security management is being seen increasingly as strategic rather than operational. Below are some tips for how to create a strong company security policy:
1. Start at the beginning.
Since security is key to business strategy, the process of creating or rebuilding a security policy needs to start at board level. Security is less about locks and cameras and more about loss and profit, so focusing on it can highlight new business opportunities.
2. Identify and prioritise risks.
‘Risks’ are the possibility of an undesirable outcome, with ‘threats’ as their source. Companies should consider the likelihood of a risk, and the impact it might cause, but priorities will be specific to each company.
Having effective two-way communication between staff and management is very important for gathering input that might improve the policy. It also makes distribution of the policy easier, but keep the policy updated as the circumstances change; don’t let the policy be left gathering dust until the next audit.
4. Don’t let it be a business blocker.
People should know why certain procedures must be put in place and what their benefits are. There can be pressure in some situations, for example when recruiting for senior appointments there is a pressure to hire staff before rivals do, and in this case it may seem unrealistic to follow the company’s recruitment processes fully. But if the hired individual turns out to be involved in industrial espionage or such, it’s all too late. Alternatively, security assessments may reveal risks have been overstated and are therefore worth taking.
5. Screen staff thoroughly.
Employees that have access to company information and assets could cause masses of damage if that information was placed in the wrong hands. Checking criminal records is not a sufficient way of assessing someone in a pivotal position, so background research and CV-checking can be done to reveal more.
6. Keep it clear and accessible.
Make sure that the policy supports the objectives of the company. The policy should also be easily accessible, so for example it could be placed on the intranet. A small, separate security policy is better than a policy placed alongside all other human resourcing information.
7. Transfer any unavoidable risks.
For risks that are unavoidable, transfer them so that the risk is placed on someone else. For example, carrying money in a public space is always a risk. But the risk can be transferred to an outsourced cash-carrying service that makes its business from taking that risk.
8. Use quality consultants.
Choose consultants carefully and be aware of their reputation, since good consultancy will give independent advice on how best to work, without pushing end user products ahead of addressing the actual risks.