IT security policies are becoming a 'must' for all companies and organizations. With employees working from home more often than ever, it is wise to introduce policies for staff to follow, ensuring you are not compromised.

According to the SANS Institute, an organization’s Security Policy sets the standard for the way in which critical business information and systems will be protected from both internal and external threats. 

An Acceptable Use Policy outlines the technology employees are allowed to use for work, including company-provided equipment. Using personal devices should be prohibited as they are not owned by the organization. Cell phones are an exception, and some of the only personal devices companies allow their staff to use for work, but the employee must understand and sign off that the company has the right to wipe the data without notice in the event of a breach. Talk to your IT support team to understand how personal devices can be protected.

An Incidence Response Plan outlines what the staff should do in the event they are compromised electronically. This should list emergency contacts, unplugging computers, or turning off devices, plus other remediation steps if there has been a potential breach. If it is confirmed that your company has been breached, then the recommendation is to seek legal counsel immediately as there may be legal or financial repercussions depending on the data.

Remote Access Policies are needed as a guide to working remotely. Remember, your internal work environment should travel with you. For those medical companies that hold HIPAA-related information; you must ensure that those same security requirements are adhered to both in office and in remote locations. This includes securing private information by operating with discretion, for example: not leaving private documents on a printer for anyone to see and ensuring family members and friends cannot view private information.

Backup and Data Retention Policies are needed for employees who store data on their local PC. These policies prevent important data from being lost in the event that the employee's computer is stolen, dies, or crashes. 

Network Security Policies ensure that  employees understand how your company intends to protect data. Explain how and why this is important and what is considered protected data.

This is a high level summary of just some of the important policies all organizations should implement. If your organization falls under compliance obligations like HIPAA, NYS DFS, SEC, etc., the policies will most likely have to be expanded in great detail and rolled out to staff with training.  If you have any questions regarding the cybersecurity best practices, please contact your tax advisor at Dermody, Burke & Brown.

The information reflected in this article was current at the time of publication.  This information will not be modified or updated for any subsequent tax law changes, if any.