A corporate security policy is a set of written procedures and standards which clearly establishes directives that drive the corporate to a high security degree decreasing risks of vital information leakage and sabotage. It must be conceived in accordance to the business arena and environment the corporate is inserted and It must be formally conveyed to all staff.
There are four steps in creating a corporate security policy:
– The research of security standards and rules already in place, even if they are informal and unwritten;
– Understanding the corporate core business and demands, liabilities and consequences that a security break can provoke;
– Getting information regarding the internal environment and the external context the corporate is inserted.
2 Elaborating rules and standards
All procedures and directives must be clearly written and assigned to a person and/or a staff position. Versioning control must be included.
3 Procedure and review
This step is dedicated to research the best security practices used at the market. It is also the time to developed and formalize procedures to integrate them with company policies.
4 Approving and implementation
All corporate securty policy must include:
It must be simple, clear, straightforward. It must states what is expected and what are the responsibilities of each person and/or job position
Top managers declaration
A text signed by the board president, CEO, officers and high managers demonstrating that they are aware of the rules and regulations and support them.
It is important to give credit to the authors and list them so the staff knows who they can address suggestions of improvements, comments and even critics.
It is a good practice to include a session with references to other related documents and respected and well-known corporate security policies.
Procedures for dealing with exceptions and unforeseen situations
It must be included instruction about how to proceed and who one should contact in case of unexpected and unimagined situation..
Procedures and data for reviewing
Corporate security policy must determine a data interval for reviewing it and a procedure for approving and conveying the reviewed document.