Security Risk Mitigation Policies and Plans

When protecting organizational resources and reducing risk or minimizing damage, there are several policies that should be in place.

Some policies and plans that should be in place include:

  1. Wireless network access policy - Provides serious penalties to anyone that places a wireless access point on the network without permission from the IT department. This is because uncontrolled wireless access points can be used by attackert to bypass the firewall and attack the network and all its resourced directly. There should be a request form and approval process for allowed wireless access points.
  2. Internet connection and modem use policy - All external connections to the internet or other businesses must be approved by the IT department. Any violation of this policy should result in serious penalties.
  3. Mobile computer policy - Defines security requirements for all mobile computers. Defines data that can be stored on them and whether it must be encrypted. Defines how malware will be kept off these computers, how often they will be inspected for malware to prevent the spread of a virus or worm on the internal network.
  4. IT Resource Acceptable use policy - Defines how IT resources are allowed to be used.
  5. Computer training policy - Defines minimum training for all users in order to protect them and the network against human engineered exploits.
  6. Anti-virus and malware policy - Defines policy on every computer including how often updates to the malware library will be done, how often the computer will be scanned, what file attachment types are blocked at the mail server, and what anti-virus programs are approved for use.
  7. System Update policy - Defines how often computers are to be updated with security patches and how the update will be done.
  8. User privilege policy - Defines the privileges users may have on their computers. Defines what user groups are allowed to install programs on computers and have administrative access.
  9. Incident response plan - Defines the response to security incidents.
  10. Disaster Recovery Plan - Provides a plan to restore normal services after a disaster has destroyed services and/or equipment.
  11. Business Continuity Plan - A plan for continuing business processes between the time of a disaster and the time normal services are restored.

This list is not inclusive but is very central to risk reduction and every organization should cover these computer risk related issues in some fashion.