Internet Usage Policy: While the internet may be a major source of information for employees, as well as a means of communication with clients, vendors etc, it is also open to abuse and a major threat (in the form of viruses) to your organization’s data. Hence an internet access policy is very critical.

Some thing to keep in mind:

Reserve access to those who have a demonstrable business need.

Prohibit transmittance of company information over the Internet unless such transmission is approved and secured.

Screen all software and files downloaded with virus detection software.

You can use the Internet Access Policy Template to draw up your policy statement.

Network Security Policy: While your organization’s intranet is necessary for employees to communicate with each other, securing it from external attack is critical. Your policy must see to it that your organization’s data is not compromised in any way.

Pointers:

Restrict access to authorized people.

User-IDs must each uniquely identify a single user.

Users must not leave their computer, workstation, or terminal unattended without first logging-out, locking the workstation, or invoking a password-protected screen saver.

Internal network addresses must not be publicly released.

All Internet Web servers must be firewall protected.

Any external network connections must be secured via approved standards.

Prior approval required for all changes.

A larger and more comprehensive policy template can be found in the Network Security Policy Template. A policy with this broad a scope requires input from pretty much every team within the IT department—telecommunications, network operations, development, and security.

Password Management Policy: Nothing can ruin an organization more than a bad password, vulnerable to cracking. Thus your policy on passwords will be a key determinant of the robustness of your IT governance.

Some simple pointers include forcing users to change their passwords frequently, setting complex, not-easily-crackable passwords, not storing passwords in an accessible place etc. What really matters in your policy is the teeth you give it, i.e. the powers you give your team to effectively implement the password management policy. You can use the Password Management Policy Template to set yours.

Physical Access Policy: Some of the company’s IT assets, such as servers and master computers are placed in special rooms, to which access is restricted to authorised personnel only. The policy that governs this is thus very important.

Some suggestions:

Restrict entry to authorized personnel only, who produce the correct i-card or badge.

Ensure that all computer room doors can be opened only by authorized peersonnel with the right keys.

Individuals needing temporary access to computer rooms must have IT Department permission, granted after adequate justification.

Security staff will regularly monitor all computer room doors.

All entry and exit must be logged.

For sensitive areas, security cameras, with video tape recordings made of all activity is recommended.

This is a sensitive policy. Excessive security measures might hamper normal work, while lax policy may potentially do a lot of damage. A comprehensive set of recommendations can be found in the Physical Access Policy Template, which you can use too devise your policy.