Roles and Responsibilities Policy: It is incumbent on you to establish a high standard of “due care” for the ownership, use, and transmittal of information resources, i.e. your team must understand their responsibility towards IT governance, and know what behavior is expected of them.

Some points you need to consider:

There must be an owner for all information, who must determine its security level.

Information security controls must be implemented at the appropriate level to satisfy the most stringent requirements of any party on the system.

Employees must access only the information they need to do their jobs, and use access (login, password etc) provided to them securely and for company purposes only.

Employees must use only authorized connections to company networks and computers.

Responsibilities executed professionally will ensure a high level of governance. You can use the Roles and Responsibilities Policy Template to draw up a comprehensive policy.

Acceptable Encryption Policy: Encryption is a double-edged tool – while it can help effectively secure information, it can also hamper the ease of access to organizational staff. Hence you need to have a clear policy on when to encrypt data, and who is authorised to do it. You also need to establish a standard for encryption and key management, that staff need to achieve.

Some pointers:

Encrypt all data that has been classified as Confidential or Restricted, when you have to transmit it across channels you have no control over, e.g. the internet, VoIP etc.

Encrypt all restricted data on systems that are deemed as “high” risk of loss or theft, such as laptops.

Prohibit anyone from disabling encryption without prior approval.

While you establish encryption standards, you may want to keep the following in mind:;

Use only technology that is proven and based on industry standards, such as S/MIMIE etc

Encryption should cover emails, folders, FTP etc, such that it comprehensively covers all critical data.

Select encryption that is scalable and is appropriately cost effective.

To draw up a comprehensive Acceptable Encryption policy, you can draw on the Acceptable Encryption Policy Template.

Remote System Access Policy: Some staff may need to access organizational IT resources (such as emails) from external locations, over third-party providers. In such a case, it is necessary to have a policy that ensure adequate security of your system to prevent leakages, without hampering data flow.

Some points to consider:

All inbound dial-up connections with your internal computer data network must employ extended user authentication.

Dial-up connections to internal systems and networks may be established as long as they are fully consistent with published internal standards.

After a fixed number of unsuccessful attempts, the connection must be terminated.

The Remote Access Policy Template gives you a more comprehensive set of recommendations for drawing up your policy.