Creating a policy structure within your organisation can be a feat of a task, especially when dealing with subject matter on unfamiliar territory.

Information security policies can often be daunting, and an assessment of your organisation to see where these policies need to be included is a massively important part of this process.

To make things easier, break down your network into smaller categories:


Access control

Password management

Secure configuration

IT equipment

READ MORE: Dealing with Denial of Service

Once this has been established, you can then use this list to identify the ‘weak’ areas you have. Are your devices outdated? Is there a common trend of weak passwords? Does everyone have access to everything, whenever they want?

These are the important questions to ask, and the job of policies and processes is to set clear expectations and guidelines when defining security controls.

Let’s take password management as an example. After recent concerns that a phishing attack may have been successful, everyone has had to reset their password. One employee in particular used ‘Kilimanjaro01!’, but after the reset changed it to ‘Kilimanjaro02!’.

This is a perfect scenario where a password policy may prove invaluable – set clear expectations of password strength and use the NCSC best practice guidelines to help define these.

Make sure passwords are unique and meet complexity requirements of at least eight characters with one upper case, lower case, special symbol and numerical character. All of this crucial information should be stipulated in your policy and made accessible to all employees.