Ten top tips for inclusion in IT security policy

We have now all heard about the first fine potentially to be levied against British Airways. The fine is not there to punish accidents or problems that could not have been avoided. The fine is to punish for systemic failings, the accidents and problems that should have been avoided.

There are certain basics that need to be covered to demonstrate Accountability in data protection. You should have clearly defined Roles and Responsibilities, written and effectively published in-house Policies and Procedures and a programme of data protection training.

Some aspects of this control framework have let BA down on this occasion at least. IT security seems to have been an issue in particular. IT security is a subject in its own right, as lawyers we only advise on the organisational aspects of IT security, not the technical Information Security Management System aspects. Even so we would advise that IT security basics need to be communicated to colleagues.

What would we expect to see covered in an IT security policy?

Access control functionality and management for all users of these systems.
Access to systems will be governed on a need to know basis and personal responsibility for accessing data even when you have the right
Security for mobile computing and teleworking, homeworking, hotdesking etc
Password policy and the importance of keeping passwords secure
Security for removable and portable media devices
Bring Your Own Device security
Appropriate Use Guidelines and that it covers
- The importance of security and systems integrity, for example not loading software etc.
- That certain activities (examples provided such as downloading games, unacceptable material etc) are considered “improper use”
- The restrictions on using company IT for personal use and outlining circumstances when IT may be put to personal use

As well as the technical controls, the IT security policy should also remind colleagues that:

The confidentiality of data on IT systems including “personal data” (with a definition of personal data)
That employee use of company IT is monitored
Breach of the policy could result in disciplinary action.

Mandy Webster, Data Protection Consultant

About the Author: mandy.webster

Since June 1999 Mandy Webster has been a freelance consultant offering audit, advice and training on privacy, information security and e-commerce issues as Data Protection Consulting Limited. The company’s mission is to help clients from a variety of sectors, and of all sizes, comply with data protection law and to that end it offers a range of solutions. Mandy, a qualified lawyer, is author of ‘Data Protection for the HR Manager’ and ‘Data Protection in the Financial Services Industry’ published by Gower and “Effective Data Protection” and ‘The ICSA Data Protection Troubleshooter’ published by ICSA Publishing Limited. Mandy is a well-known writer, commentator and speaker on data protection.

Ten top tips for inclusion in IT security policy

What would we expect to see covered in an IT security policy?

HIV Charity fined for bulk email errors

Fine reduced on appeal

Facebook data breach hits the news again

The Pain a Simple Data Breach Can Cause

Facebook facing mass action challenge in UK

Ten top tips for inclusion in IT security policy