Regardless of whether your business is a one-man-show, or a mega-conglomerate, you need to develop a corporate security policy to cover your bases in the event something goes awry, and to prevent things from going wrong in the first place.

McAfee defines a security policy as “a set of published, systematic rules that apply to all aspects of IT system and data deployment, defining company approved applications, access control and network authentication, approved vendors, user groupings or domains, the configurations for any number of different layers of security, and so on.”

So what does this mean? A security policy will put in place a mechanism to prevent security breaches, and protect the information that is at the core of your business. The goal of the policy is to guard your company against data loss and delineate what is deemed inappropriate behavior by employees online. It should also explain what actions to take if you uncover an intrusion attempt and what web sites or programs you can and can not use, or visit, from your work computer. It communicates a clear, comprehensive security standard to your entire staff. All of these limitations serve to inhibit any behavior that could put your network at risk and make it more susceptible to attacks by evil-doing hackers.

A good corporate security policy will serve as a guide for your organization in its hour of need and believe me, you will have an hour of need. Some issues your security policy should encompass include:

1. Internet usage
2. Email usage
3. Password security
4. Visitor security
5. Contractor security
6. What to do in the event of a virus outbreak
7. Drive security
8. Back-up policy

Let’s take a look at a few of these issues.

Internet Usage
This is the primary area of concern for most businesses.

• What Web sites should employees be visiting at work?
• What sites are deemed inappropriate?
• What happens if a virus enters the network?
• How will you deal with employees plugging wireless routers into their LAN connection for their laptop?
• Is instant messaging allowed?
• If it is, through what program and whom may employees instant message?

Email Usage
Employees should know what email address to use for work purposes and not to use that same address for personal emails. Employees should also know if they are even allowed to open personal email on their work computer, or whether they can receive attachments on their work computer. Email remains the most gaping hole for attackers to break into. Open a suspicious attachment, and bam, it’s all over.

Software Installation
Only allow administrators to install software. The less installed from outside networks, the less chance for harm. Be careful who has access to program installation, what they can install, and who gives the permission to install it.