Concerned about your existing AUP? Or are you looking to create a new usage policy from scratch? Either way, performing a risk assessment is a vital first step.
If you don't identify the risks posed by email & web misuse in your organisation, then your AUP will not be fit for purpose & your company may still be exposed.
Download this legal briefing & understand the importance of your risk assessment
WHITEPAPER
getting your a.u.p right
Step 1: assessing your risks
a legal briefing
Author: Jonathan NaylorBarristerJan 2010
www.messagelabs.com info@messagelabs.comWHITEPAPER
Introduction
If an Acceptable Use Policy (and a technical solution to enforce it) is the final part of a process that organisations must go through to minimise the risks they face to their corporate IT systems, the risk assessment must be the start of that process.
So how does an employer undertake such a risk assessment? What are the factors to be considered and how does this translate into the appropriate Policy and software solution? The aim of this short briefing document is to give employers some guidance on how to conduct this crucial step in the process of protecting the organisation from unnecessary risks.
What type of IT security risk assessment is suitable for your organisation?
Any organisation will need to consider what is most appropriate for the particular business, taking into account the nature of the employer and the specific threats that it faces. Will an informal "stop gap" review suffice; does the organisation require a more thorough and detailed assessment; or is it such a crucial area for this individual business (perhaps because it holds particularly sensitive data or has a very large number of employee IT users) that the organisation should outsource the assessment to an independent third party assessor?
In practice, how is the assessment going to be conducted? Should this be a formal process or merely an informal dialogue between senior management and the IT team? How will findings and recommendations be recorded and publicised? There are no set answers to these questions; the correct approach will vary depending on the specific business.
Why is a risk assessment needed?
Neglecting an IT security risk assessment can result in financial losses, organisational problems, customer relations issues or brand damage to the business. Key risks include employee misuse of corporate IT systems, loss of confidential/client data, denial of service attacks, viruses, disaster recovery issues, unauthorised access to systems and website security.
If an organisation frequently bids for public sector work, tendering requirements will often demand that details of its policies and procedures, including whether a risk analysis has been conducted, are disclosed.
Employers should also consider what steps they need to take to comply with legislation such as the Regulation of Investigatory Powers Act, the Data Protection Act and (if they are a public sector body) the Freedom of Information Act.
www.messagelabs.com info@messagelabs.comWHITEPAPER
Key elements to get right
In conducting any IT security risk assessment it is important to have both the understanding and the support of senior management. There also needs to be some form of training for employees so that they are aware both of the risks and the steps that can be taken to minimise those risks. Educating employees to view this not just as an employer denying them the opportunity to do what they want to do or "spying" on them, but rather ensuring that both the individual and the business are protected from unnecessary risk is a difficult, but important task.
Companies may wish to consider adoption of the British Standards on Information Security (the 7799 Standards) which form the basis of the International ISO 27000 Standards which are increasingly being used to structure security processes.
You should consider the scope of any risk assessment; which elements of the business need to be covered? There may be a further risk to be considered if functions within the business are being outsourced to third party service providers or agency contractors.
Key areas to cover are:
. Consider some of the possible threats that your organisation may face and record these in a Risk Register. The Register will then assist in formulating responses to the identified risks.
. What is the physical location of your IT systems? Does this present any particular risks?
. Has the business developed a Disaster Recovery/Business Continuity Plan?
. What are the arrangements for regular backup of information and secure storage?
. Does your organisation use a wireless network? Are there specific arrangements needed for ... [download for more]
