The Data Security Policy template provides comprehensive language defining the rules and procedures for how employees create, store, move, handle, reproduce, transmit and dispose of company data. The full template is available in Microsoft Word and can be easily tailored to the specific needs of your buisness.
Read on for excerpts from the actual policy:
This policy applies to paper documents, electronic reports and presentations, as well as transmitted or stored data such as email and customer transactions.
The purpose of this policy is to provide guidance and recommendations in complying with _COMPANY information security policies and procedures for the creation, storage, movement, handling, reproduction, transmission, and disposal of information. Business leaders should work with security managers to implement this in creating business policy and risk-based controls.
The following rules define _COMPANY’s policy governing data security:
- Information must be classified. All electronic information is to be classified by the Business Information Owners, according to the rules listed in the Data Security Standard. to be used in the assignment of appropriate security mechanisms. Information owners will provide documentation requested to support who will be granted permission to access information for which they are responsible.
- Assigning appropriate security safeguards. Once information has been classified by the business owner, the IT Department will implement the appropriate technical security safeguards.
- Appropriate access controls must be in place by default. File access control permissions for all _COMPANY networked systems must be set to a default which blocks access by unauthorized users before being placed into production.
- Restriction of special system privileges. Special system privileges, such as the ability to examine the files of other users, must be restricted to those directly responsible for system management and/or security. These privileges must be granted only to those who have attended an approved systems administrator training class or who have been approved and authorized by the IT Department.
- Sharing a personal user-ID is prohibited. Users must not share their user-IDs, nor obtain the ID of another user, in order to invoke the privileges they need to perform a certain task. Management must define user privileges such that ordinary users cannot gain access to, or otherwise interfere with, either the individual activities or the private data of other users.
- Existence of user access capabilities does not imply usage permission. “Just because you can do it, doesn’t mean that you are allowed to do it.” Specifically, users must not read, modify, delete, or copy a file belonging to another user without first obtaining permission from the owner of the file. Unless user access is clearly provided, the ability to read, modify, delete, or copy a file belonging to another user does not imply permission to actually perform these activities.
- Generic user-IDs based on job function are prohibited. Generic user-IDs based on job function, as well as group user IDs, are prohibited. Instead, user-IDs must uniquely identify specific individuals. Group user-IDs may be assigned for software objects, shared workstations, contracting firms, outsourcing firms, or other third parties, only with the approval of the Director of the IT Department.
- Privileges for remote administration of Internet-connected computers in the demilitarized zone (DMZ) must be restricted. Remote administration of Internet-connected computers is not allowed unless accessed over encrypted links.
- Logging and reporting required for privileged user-ID activities. All user-ID creation, deletion, and privilege change activity performed by systems administrators and others with privileged user-IDs must be securely logged and reflected in periodic management reports.
- _COMPANY management reserves the right to revoke the privileges of any user at any time. A user’s access privileges may be revoked if the user engages in conduct that interferes with the normal and proper operation of _COMPANY information systems, which adversely affects the ability of others to use these information systems. Enforcement of this rule shall be governed by the terms of the _COMPANY Code of Conduct Agreement.
- Access privileges associated with a user account (ID) must be revoked after that user-ID has been inactive for a period of time specified by internal standards. Exceptions to this rule may be made with the approval of the user’s manager and the Director of Information Security and Disaster Recovery.
- Access privileges associated with a user account (ID) may be disabled if the user goes on vacation or goes on leave for an extended period. The period of time after which an account must be disabled will be determined by the IT Department. When the user returns, he or she can make a request that Security Administration reinstate privileges. The administrator would then check the individual’s status with management, and follow-through with the request if it is consistent with management’s intentions.