We are often reminded that an effective information technology security policy is the key to a safe and secure working environment, whilst offering some peace of mind to the business with regard to its vital data assets. But, where do you start when putting an information technology security policy together?

Creating and maintaining a security policy can be eased by breaking it down into logical sections. Some of the key sections are included here:

• Physical security of equipment and software
• Security and business risk assessment
• Compliance with legal requirements and regulatory guidelines
• Information disclosure, data protection, intellectual property, and data destruction
• Access control mechanisms including logging and regular monitoring
• Major incident response
• Domestic service supply including electricity, environmental control solutions, water, drainage
• Availability
• Remote access
• Malware protection
• Regular data backup and recovery
• Business continuity
• Classifying business value of data
• Segregation of duties
• Supplies of regularly uses business stationery and consumables
• Identification and management of business custodians
• End-User awareness mechanisms
  • Regular communication
  • Guidance on the appropriate use of technology (Internet, emails, etc) 
  • Business consideration of the application of public Web 2.0 services and technologies 
  • Access to social networking services and forums
  • Personal electronic messaging and instant messaging
• Regular information gathering, management, reporting and feedback
• Operational Matters
• Up to date asset register and asset lifecycle
• End user account lifecycle administration
• Network security administration and control
• Supplier management
• Customer compliance
• Change Control Management
• Patch and Update management
• Content control and access logging and monitoring