How to Write a Standout Corporate Security Policy

Corporate security is much more than an IT concern. Thanks to technology, every employee in your company plays a role in maintaining corporate security.

Posted by Joe Gerard in Corporate Security, Human Resources on November 10th, 2010

Corporate security is much more than an IT concern. Thanks to technology, every employee in your company plays a role in maintaining corporate security. As internal and external security threats continue to increase, you’ll need to make sure that your company’s corporate security policy works with you to protect the company from any type of security incident. Here are some tips to help you write a standout corporate security policy that is easy for your employees to understand:

1. Keep it Simple

How do you expect employees to follow a policy they don’t understand? Simplify every element of the policy- especially language. Keep in mind that each person has a different level of technical know-how. Use terminologies that even your least tech-savvy employees will understand.

2. Content

FREE Investigation Report Template

Prepare thorough, consistent investigation reports with our free report template.

Download Template

Start with legal compliance and move forward from there. Look online for templates or samples of security policies being used by other companies. Knowing what other companies are concerned about can help you determine what areas you’ll want to address in your company’s policy. To take the policy to the next level, visit the ISO 17799 Information and Resource Portal. ISO 17799 is the leader (and standard) for information security. On the site you’ll find great corporate security policy tools that contain content you’ll want to include in your own security policy.

3. Set Measurable Goals

You need to know how your company stacks up when it comes to compliance- where improvements need to be made and which areas require the most attention. Setting clearly defined, measurable goals can help take your policy from a thumbs down to two thumbs up- WAY up. The “Importance of Corporate Security Policy” article on the Symantec website states:

“Before you can manage security you have to have a way to measure its effectiveness. Your corporate security policy provides the acceptable baseline standards against which to measure compliance.”

4. Define Roles and Responsibilities

Each employee plays a different role in keeping corporate information secure. Use the policy to outline who is responsible for what and what their responsibilities entail. It’s a smart idea to appoint a go-to person should employees have questions, need to make information access requests or simply need some verbal clarification of the policy. Simple tasks such as stronger passwords and using encrypted USB keys must be included policy so that employees know exactly what is expected of them. Define access roles, as every employee doesn’t need access to the same information to do their job. The Symantec article above also states:

“The role of the policy is to guide users in knowing what is allowed, and to guide administrators and managers in making choices about system configuration and use. This process will help you establish specific security goals and a plan to tackle them.”

5. Consequences

Clearly outline the consequences employees will face for violating the company’s corporate security policy. Stronger consequences should be handed down if the security breach is conducted in a malicious manner. Follow through on reprimanding employees and enforcing the policy- as always, actions speak louder than words.

6. Keep it Current

A lot can change over a short period of time. Make the policy grow with your company. Don’t waste the investment into your company’s security efforts- keep updating the policy as laws, regulations, internal policies and security threats change. Each year you should assess the workplace for any new risks or security threats. Once the threats are identified, include them in the security policy so that employees know how to deal with them.

Joe Gerard
Joe Gerard

CEO, i-Sight

Spend my days showing off the i-Sight investigative case management software and finding ways to help clients improve their investigations. Usually working with corporate security, HR & employee relations, compliance and legal teams.

Visit Website