Security Policies for a Small Business

Physical Security

• Depending on the type of business, part of a company's security policy should include staffing physical security guards at key positions to protect inventory and employees from outside threats. Part of a security policy should include time coverages, shift change procedures and incident reporting. Also, electronic security surveillance may also be part of maintaining physical security policy. In addition to guarding against theft of physical assets, surveillance can also serve as an important tool to solve issues related to information security threats, such as theft of customer financial data. Remember that not all security threats come from outside parties.

Operational Controls

• The State of Minnesota's Office of Enterprise Technology defines operational controls as policies that "address process-based security controls implemented and executed by people." Operational security policies cover security processes such as information backup, storage data control, system documentation, change control and user and system support. It also includes physical and environmental protection policies, as well as disaster preparedness procedures. Personnel awareness and training programs are of key importance to implementing operational security policies. Job descriptions should include operational security roles and responsibilities, such as operational responsibilities related to access to physical and logistical resources and incident reporting duties.

Data Security

• Unless computer security controls are in place, information from a firm's computer system can travel over the Internet without any trace of the data theft. The more connected a business is to computer public networks, the more exposure it has to outside threats. While large companies may have IT professionals on staff, small firms must create an infrastructure and data security policy to protect their computer networks from hackers, viruses, phishing, Trojan horses, spyware, spam and worms by using computer back-up services, firewalls and virus-protection software. Security policies should address rules related to safe Internet usage and maintaining updated subscriptions to computer-security software programs.

The Recovery Plan

• Not all security risks can be avoided. A security policy should include detailed recovery procedures that address issues related to operational and data recovery procedures. Include alternative manual operation plans in the event that key operational tools are down, such as inoperable computers. Detail contact information to relevant vendor service providers. The firm's key operational staff, with a brief description of their recovery duties, should be included in a security recovery policy.