New and Updated IT Security Policies
IT security is a key consideration for any modern business. Businesses rely heavily on a variety of IT technology for their day-to-day operations, communication, and data management, not to mention those who also engage in e-commerce. Given such reliance, the importance of IT security cannot be overstated.
IT security encompasses a range of practices, procedures, and tools designed to safeguard a business’s digital assets, data, devices, and infrastructure from a range of threats including malware, cyberattacks, data breaches, and unauthorized access.
As more and more data is stored electronically, the risks resulting from inadequate IT security have increased. Security breaches will not only put valuable proprietary, and oftentimes personal, data at risk of theft, exposure, or loss, but can also lead to significant financial losses, reputational damage, legal liability, and operational disruption. Regardless of the size of your business, therefore, IT security is vitally important.
New IT Security Policies – Access Control and Anti-Malware
Two new IT security policy templates are available, each of which expands on content previously contained within the standard IT Security Policy template (which has also been updated, as explained below).
The new Access Control Policy, designed to be used alongside the IT Security Policy, sets out the measures taken by your business (and your employees, contractors, and so on) with respect to the control of access to your IT systems, both electronic and physical.
Electronic access control covers user accounts and levels of access privileges. The policy template bases its approach on the principle of “least privilege”. This means that users should only be granted the level of access to systems and data that they actually need to perform their jobs and no more. Passwords are also covered in some detail in this template, including provisions on choosing strong passwords, not sharing passwords, and resetting lost passwords.
Hardware access control is also covered, including measures such as locking rooms containing IT systems, and limiting access to servers and other important infrastructure using smart cards or fobs and coded locks.
The new Anti-Malware Policy, also designed to be used alongside the IT Security Policy, sets out the measures taken by your business (and your employees, contractors, and so forth) to protect your IT systems and data from malware.
Malware poses a serious risk to individuals and businesses of all sizes. It can be defined broadly as any type of malicious file, code, or software which performs malicious and unauthorised tasks including, but not limited to, deleting files, stealing data (personal and otherwise), gaining access to systems, changing device settings, and controlling devices and software. Types of malware include, but are not limited to, viruses, worms, trojans, rootkits, keyloggers, spyware, adware, phishing, and ransomware.
Key provisions in this new policy template deal with both client device and server protection and set out important user responsibilities. It is important to note that in this context, “client device” refers to an end-user device within your business (e.g., an employee’s desktop computer), not those belonging to customers. Measures to be taken include the (obvious) installation of anti-malware software, keeping software and malware definitions up-to-date, running scheduled scans, and more.
Updated IT Security Policy
To work in conjunction with these new policy templates, the main IT Security Policy has been updated with new provisions that cross refer to each of the new policies. In each case, the relevant sections of the IT Security Policy offer two options: the first option is to cross-refer to the new dedicated policies, which contain more detailed provisions and thereby provide improved security (if followed); the second option is to use shorter, simpler provisions contained within the IT Security Policy itself instead of having separate documents. Other changes to this template include lightly revised terminology in some sections, and additional requirements to keep written logs of certain actions and approvals.
The contents of this Newsletter are for reference purposes only and do not constitute legal advice. Independent legal advice should be sought in relation to any specific legal matter.