Creating a policy structure within your organisation can be a feat of a task, especially when dealing with subject matter on unfamiliar territory.
Information security policies can often be daunting, and an assessment of your organisation to see where these policies need to be included is a massively important part of this process.
To make things easier, break down your network into smaller categories:
Employees
Access control
Password management
Secure configuration
IT equipment
READ MORE: Dealing with Denial of Service
Once this has been established, you can then use this list to identify the ‘weak’ areas you have. Are your devices outdated? Is there a common trend of weak passwords? Does everyone have access to everything, whenever they want?
These are the important questions to ask, and the job of policies and processes is to set clear expectations and guidelines when defining security controls.
Let’s take password management as an example. After recent concerns that a phishing attack may have been successful, everyone has had to reset their password. One employee in particular used ‘Kilimanjaro01!’, but after the reset changed it to ‘Kilimanjaro02!’.
This is a perfect scenario where a password policy may prove invaluable – set clear expectations of password strength and use the NCSC best practice guidelines to help define these.
Make sure passwords are unique and meet complexity requirements of at least eight characters with one upper case, lower case, special symbol and numerical character. All of this crucial information should be stipulated in your policy and made accessible to all employees.
Comments: Our rules
We want our comments to be a lively and valuable part of our community - a place where readers can debate and engage with the most important local issues. The ability to comment on our stories is a privilege, not a right, however, and that privilege may be withdrawn if it is abused or misused.
Please report any comments that break our rules.
Read the rules here