Developing Your IT Policy

July 24, 2015

PDCA, the Plan-Do-Check-Act cycle, is the cornerstone of basic information security management and ISO/IEC 27001:2013, the standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). This process also applies to industry regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry Data Security Standard (PCI DSS).  The idea is that the process of maintaining your network security is an ongoing challenge. Once you have completed one PDCA cycle, you start the process over again.  This allows your organization to continually make adjustments based on changing technology and threats.  With that in mind, here are some general recommendations for you to consider when implementing your own security policy.

Regulations and Your Business

Know and follow the most current regulations that apply to your business.   Some regulations such as HIPAA and PCI have very specific security requirements.

ISC’s team of experts can provide the knowledgeable consultation healthcare providers need to attain and maintain HIPAA, HITECH, and PCI compliancy. Please see our Healthcare IT page for more information.

Physical Security

The physical aspect of security is still as important as it ever was. Protecting equipment, controlling access, and monitoring usage should be a top priority. Physical access to network hardware, data centers, passwords, or confidential documents are just as crucial as their non-tangible counterpart.

Access to server rooms should be controlled, monitored, and depending on the level of security necessary for your organization, video surveillance may be considered.

If any user leaves their computer unattended, even for a few moments, the screen should be locked to prevent unauthorized access. Automatic activation of password-protected screen saver mode should be enabled after a short period of inactivity.

Documents containing confidential information must be properly stored and disposed of (clean desk policy).

Least Privilege User Access (LUA)

Employees should only have the level of access needed to do their job.  Access must be regularly reviewed and adjusted such as when an employee leaves the company or their role within the company changes.  By clearly defining each person’s roles and responsibilities, the level of authorized access can be properly developed.

Accessing data for any purpose outside of conducting company business, even when access is available, should be considered unacceptable.

Password Policy

Every password should be a unique, non-dictionary word or Wikipedia topic, a minimum of 8 characters, and use at least one of each of the following: uppercase; lower case; number; special character. 

Personal details, special dates or other information that can be easily obtained by someone that is familiar with the user should be avoided.  Passwords should be changed at least every 90 days and not used again for a minimum of 12 cycles (up to 1,080 days or almost 3 years). A restriction should be enforced which does not allow the use of incremental passwords (i.e. smith1, smith2 etc.).

The current industry standard for sensitive information security management requires two factor authentication, at least 22 characters, and passwords cannot be reused for 24 cycles. Two-factor authentication is identification requiring two separate components (a password plus mobile authentication, additional security questions, etc.).

Sharing passwords or leaving them easily accessible, even with someone within the organization is never acceptable. If another employee needs access to data, their own authorized access should be reevaluated and adjusted if deemed necessary.

Monitoring and limiting consecutive unsuccessful logon attempts is a practice which network administrators can implement to prevent potential security breaches.

Read one of our recent articles on the importance of passwords here.

Email and Communication Policy

Sending unsolicited messages, any form of harassment via email, telephone or internet, unauthorized use or forging, creating or forwarding inappropriate material, and personal use including blogging and social media are all activities that your corporate policy should address. Employees should always be mindful of the organization’s image, reputation, and prevent revealing confidential or proprietary information.

Users must be cognizant of the threats posed by opening attachments, replying to suspicious emails, or otherwise providing information to third parties who could potentially use that information maliciously. Social engineering techniques such as baiting, phishing, pretexting, quid pro quo, or tailgating must be fully understood to be effectively prevented. For more information on these tactics, see Webroot’s article here:

Team members should be held accountable for exercising good judgement in all communications and promptly reporting any suspicious activity or known violation of company policy.

Maintain Security Patches

While it is not critical that all software patches (updates) are implemented as soon as they are released, security patches are an exception to this.  Security patches typically address a new vulnerability or risk and should be implemented as soon as practical. Because of this, they are usually released more frequently and must be continuously monitored and maintained.

Manage Removable Media Devices

Create and enforce policies that limit or restrict the use of removable media devices (memory cards, discs, USB, smart phones, etc.).  Set up policies to scan all removable media before allowing or accessing it on your computer network.

Maintain and Update Virus/Malware Software

ISC recommends the use of Webroot® SecureAnywhere for virus and malware protection. It is important to ensure that the most current software is installed on all desktops, laptops, and servers on the network.

Backup Your Data

Backing up your critical data and systems is crucial to ensuring your business can remain productive and viable in the event of a failure.  This includes periodically testing your backup system to ensure that you can recover the information quickly and easily when it’s needed. With the explosion of cloud-based backup services, there are more options than ever.

Train Your Staff

Security is a team effort. With up to 75% of breaches caused by the failure of employees to use sound security practices, training is a key element of reducing security incidents. 

When setting corporate policy and sharing security rules with your team, explain the reasons behind those practices. By creating awareness and understanding of why these policies matter, team members are more likely to remember those policies and adhere to them. It is also important to keep policies as simple and straightforward as possible. Use language and terminology that even non-technical members can understand. Set and consistently enforce consequences for violation of security policies. Copies of the most current corporate policies should be readily available to employees at all times.


Your security policy should be reviewed at least annually and updated as needed in between, such as after a security event, major change within the organization, or a new government or industry regulation that applies to your business. Your training methods should also be evaluated on a routine basis and adjusted to make them more effective.


This article provides general recommendations to consider when creating your organization’s formal security policy. The suggestions contained here represent the expert opinion of Integrated Systems Consultants at the time this was written. Security policies should always be customized and written specifically for an individual organization to be relevant and effective. Integrated Systems Consultants can assist with the creation and implementation of your unique security policy. This service is provided upon request as an optional addition to your organization’s overall IT environment.