Organisations need well designed IT security polices to ensure the success of their cyber-security strategies and efforts. The lack of an IT security policy can result from various reasons, but more often than not, include limited resources to assist with developing policies, slow adoption by management, or a lack of awareness of the importance of having an effective IT security program in place.

WHAT IS IT SECURITY?

Good IT security prevents unauthorized disclosure, disruption, loss, access, use, or modification, of an organisation’s information assets. Without information security, an organization’s information assets, including any intellectual property, are susceptible to compromise or theft. It is important to keep the principles of confidentiality, integrity, and availability in mind when developing corporate information security policies.

WHY IS AN IT SECURITY POLICY NEEDED?

The goal when writing an organisational information security policy is to provide relevant direction and value to the employees within an organisation with regard to security. The aim of IT security policies is to address security threats and implement strategies to mitigate IT security vulnerabilities, as well as defining how to recover when a network intrusion occurs. Furthermore, the policies provide guidelines to employees on what to do and what not to do.  The following are some core reasons why your organisation should have IT security policies in place:

WHAT SHOULD IT INCLUDE?

IT Security Policies should be developed with a multi-layered approach. In light of this, there are nine topic areas which can be addressed.

The above are the minimum policies an organisation should have in place in order to have a sufficiently robust IT Security program.

As a first step to IT security policy development, start looking at the current IT risks and network vulnerabilities of your organization. A good way to identify your risks is to have an outside consultant conduct a vulnerability assessment for your organisation.

The purpose of having IT security policies in place is not to adorn the empty spaces of your bookshelf. IT security policies can become outdated over time if they are not actively maintained. At a minimum, IT security policies should be reviewed yearly and updated as needed.

DOES EMPLOYEE MONITORING HELP WITH YOUR IT SECURITY?

In today’s era of digitalisation, there are countless data points which employees have access to edit or download or even share with others. As an employer, you will have to guard the company as well as client data within as well as beyond the office premises. In the same breath, your employees have the fundamental human right to privacy and respect for private life – therefore, when implementing your IT Security policies, it is important to keep in mind that a balance must be struck. In light of this, as an employer, you may only collect data relating to an employee through monitoring (e.g. internet usage or access to employee emails) under strict conditions and only for legitimate purposes, with the processing taking place under appropriate conditions, such as where it is proportionate, necessary, lawful and transparent. This may be done through a section within the IT security policy which informs employees that an employer may access certain personal data such as internet usage or emails when there is a reasonable suspicion to do so.

For further information about how GVZH Advocates can help you with your employment law query, kindly contact us on [email protected].