What is an IT Security Policy and why does your company need one?
An IT Security Policy identifies the rules and procedures that all individuals accessing and using an organisation’s IT assets and resources must follow. The policies provide guidelines to employees on what to do—and what not to do. They also define who gets access to what, and what the consequences are for not following the rules.
The goal of these security policies is to address security threats and implement strategies to mitigate IT security risks, as well as defining how to recover when an incident occurs.
Watch this video where the Chief Information Security Officer in Visma, Ole William Ingelsson, explains what a security policy is, why it’s’ important, and how we work with security policies in Visma:
Why are security policies important?
Regardless of company or business size, every organisation needs to have documented IT Security Policies to help protect the organisation’s data and other valuable assets. It is a requirement for organisations that must comply with various regulations and standards such as GDPR and ISO.
The key factor is to have “documented” security policies that clearly define your organisation’s position in security questions. This can be of critical importance in the event of a data breach.
For our clients and customers, this represents a sense of reassurance knowing that Visma is constantly applying policies and procedures to keep our assets and data secure.
How to enforce an IT Security Policy?
There are different approaches to how rules are being enforced. While some organisations will take a more lenient approach and trust their employees to do the right thing, others will roll out a more forced top-down approach in which managing directors will oversee the whole process.
Of course, you will need to find the right balance for your organisation. It is no secret that people don’t always choose to follow rules, especially if they believe it is quicker and more practical not to. At the same time, you should be careful not to destroy the feeling of trust to the point that the employees feel treated like school children.
An important aspect is rather to motivate everyone and get them to understand why the policies are important and how they’re helpful. They are not only there for audits and to show off that everything is up to the right standard on paper, but they are there for the company itself and its employees, to provide them with knowledge.
At the end of the day, it is important not to forget that our customers and stakeholders should be assured that we do things as safely and well as possible—even if it takes time—and that we’re dependable on this trust.
Security policies in Visma
We are a large company, consisting of a federation of different business units operating in different segments providing different software and services. Each of our units has its own sets of policies intended for their line of business and the nature of their activities.
That means that they are free to implement specific information security policies and organise their security work as long as it does not lead to any conflicts with policies set on the Visma Group level.
The different units are indeed free to have stricter policies than those on the corporate level if they wish, but their policies cannot be less strict.
The Visma group policies are the overarching policies and apply to everyone. The policies must be part of the onboarding process for all new employees, making sure that everyone joining the Visma family has read them carefully and are familiar with their content.