Corporate Security Policy

Every company that uses computers, and connects to the Internet in some way, needs a Corporate Security Policy.

A Corporate Security Policy can be simple, or complex.

  • It can be as simple as "No surfing the web from company computers".
  • It can be complex, and include multiple sections.

    • A business section, describing why the company needs Internet access, what it trusts its employees to do, and what they must not do.
    • A data protection section, inventorying what essential company data is retained in its computer network, how the data is protected and backed up, and how it will be restored in case of disaster. This is also known as a Business Recovery, or Contingency, Plan.
    • A security section, listing what protective measures are taken, both active and passive, including monitoring to ensure that its employees are using its resources properly.
    • A technical section, inventorying the company network, and describing the network devices and computers.
    • A response section, detailing what steps are to be taken when a problem is detected by its security.
    • A legal section, detailing how employees will be treated when they are determined to be in violation of the other sections.
    • An ongoing assessment section, describing how periodic evaluation of the CSP is to be conducted. Since a CSP is not static, it must be periodically reevaluated.

  • It can include more or less, according to the needs of the company.

A CSP with any degree of complexity needs multiple personnel to develop, and approve, its content.

  • Information Security.
  • Information Technology.
  • Human Resources.
  • Legal.