5 Best Practices For Establishing A Security Policy

By Chris Crellin, VP of Product Management, Intronis

IT security is a concern for every business, but what many are missing is that the solution isn’t just about the products in play. It’s about the policies too.

At the recent RSA Conference in San Francisco, an abundance of products and solutions — from firewalls and antimalware protection, to endpoint, mobile, and network security — were being marketed to protect organizations’ critical infrastructure, applications, and data. But without a robust security policy in place, even the industry’s best products can only go so far to protect an organization from data loss. That’s where MSPs (managed services providers) can step in and make a difference.

If you already offer managed data protection and IT security solutions to customers, you’re a step ahead. But what about helping your customers establish an IT security policy that can be adopted both in the office and in the field? Many of our most successful channel partners further differentiate themselves by helping customers establish company-specific security policies that work to educate associates and guide behavior, in addition to protecting the business and adhering to regulations.

Building a security policy is a great value-add and certainly something customers will pay for if you incorporate it into your service. So how do you get started? Here are five best practices:

1. Identify Roles And Responsibilities. One of the first things an MSP should do when setting up a security policy for a customer is to identify who has access to critical infrastructure, data, and applications — and how much access they should be allowed. For example, system admins should have greater access than front-line technicians, and the company’s contractors should generally have even more restricted, and potentially time-limited, access than its employees.
2. Set Data Retention Parameters. MSPs should be diligent about helping their customers set up policies and procedures for purging unwanted data and applications from their systems once they are no longer needed. Keep in mind that there may be document retention policies that should be enforced for certain industries, but when records are kept beyond those required dates, there is an increased risk of theft. What’s more, the cost of needlessly storing data can be a huge drag on the organization’s bottom line.
3. Create A Private Key. MSPs can provide guidance to their customers on how to set-up and manage private keys to ensure that there’s no single point of failure, which can occur if the person with access to the organization’s network, data and applications were to leave the company. Some organizations may also choose to split the access between two or more individuals. It is important to note that when setting up a private key, it should be written down and locked in a safe that more than one trusted individual has access to.
4. Establish Encryption Requirements. By encoding information, organizations can protect critical data and applications from being stolen by hackers. MSPs can help their customers establish encryption requirements for critical applications and data stored on the network, in the cloud, and during transmission. As a rule of thumb, military-grade 256-bit AES (Advanced Encryption Standard) encryption works best for all applications and data being stored in the cloud. Additionally, data in transit should be protected by SSL (Secure Sockets Layer) encryption.
5. Achieve Compliance. Customers operating in regulated industries such as healthcare, finance, and retail, must ensure that all data, network and application security complies with relevant industry regulations (e.g., HIPAA, FINRA, and PCI/DSS). Additionally, U.S. companies that have customers or partners in the European Union (EU) must comply with the EU Data Protection Directive and maintain the privacy and integrity of that data. For more information on Safe Harbor Certification, MSPs can visit http://www.export.gov/safeharbor/.

Today’s highly competitive business environment means that organizations cannot mess around when it comes to the security and protection of their networks, data, and applications. In addition to the aforementioned best practices, MSPs can also add value and grow their businesses by helping their customers properly vet security products and solutions to ensure that they provide the desired level of protection.

Chris Crellin is vice president of product management at Intronis, a Boston-based provider of backup and data protection solutions for the IT channel. He has more than 15 years of experience in the security and data protection industries, and previously worked for Datto, Inc. and RSA, the Security Division of EMC.