Policies & Procedures

The first step in securing your network is to define how your company intends to manage and protect its information and resources. Such decisions depend upon things like the nature of your information and the cost of security. But regardless of your final decisions, your security practices should be written down and shared with all your employees.

Policies are the overall company attitudes and intentions. For example, “It is the policy of XYZ Company to back up our data nightly and store this backup at an offsite facility.” Procedures, on the other hand, are step-by-step instructions, with the responsibility for each step carefully delineated.

Policies and procedures should be tailored to fit your specific environment, but should deal with such topics as:

  • The level of privacy an employee can expect on a company computer
  • Which employees have access to which systems
  • Network practices
  • What to do when you suspect an intrusion
  • Steps to take when an employee leaves the company

Security policies and procedures should be documented, regularly enforced, and users should know their obligations for protecting the company’s network. Users include all who have authorized accounts on your systems. They can play a vital role in detecting signs of intrusion.

How do I get policies and procedures?

You can create your own policies and procedures, have them written for you by a consultant, or purchase them already written. There are several sources on the Internet that can help you:

Free information:

Paid services:

Good website on overall security considerations:

For Florida state agencies, the Office of Information Security engaged in a security policy initiative by assisting in the development of eleven (11) policy templates and declaring them as guidelines for core agency security policies. This included a much needed Mobile Computing policy.