Information security policy
To protect your information assets, you need to define acceptable and unacceptable use of systems and identify responsibilities for employees, IT staff, and supervisors/managers. This policy offers a comprehensive outline for establishing rules and guidelines to secure your company data.
From the policy:
An employee who uses the company workstations or systems to conduct business operations must:
- Ensure that all equipment use is for business/professional reasons.
- Access only information that is needed to perform their jobs or assist others in doing so as part of the valid scope of their duties.
- Be responsible for the content of all data, including text, audio, and images they share internally or externally. All communications should have the employee’s name attached.
- Be responsible for all actions/transactions performed with their accounts.
- Use passwords and screen locks on company-owned systems or devices, or those that have been approved for access to company data.
- Log out when leaving a workstation for an extended period.
- Store all shared passwords (such as for departmental accounts) in a centralized and encrypted password database, such as Password Safe or KeePass. The main password for these databases must also be kept private and provided only to authorized individuals.
- Change passwords per company policy (e.g., every 90 days).
- Know and abide by all applicable company policies dealing with security and confidentiality of company records.