Security policies

What is the security policy in the company?

Security policy is a study containing a set of rules to protect the system
company information (IT, communication, access control and other systems)
in business processes). The main purpose of implementing the security policy is:

  • Protection against data loss or loss of their integrity and confidentiality
  • Ensuring the continuity of business processes
  • Avoidance of measurable financial losses


The benefits of having a security policy

  • Development and implementation of regulations and procedures adapted to the environment of a specific company
  • Developing habits of maintaining information confidentiality and limited trust
  • Applying the above habits not only to strangers, but also to people whose identity we are not able to confirm
  • Building awareness among employees that their actions are subject to strict procedures, deviation from which may result in specific threats
  • The transfer of the above principles into the sphere of private life will also increase its security


What is included in the security policy?

  • Classification of individual components of an IT system in terms of their necessity in running business processes
  • Definition of security levels for individual classes of necessity
  • Definition of the properties to be protected
  • Definition of procedures and recommendations for employees of particular departments
  • Specimens of the documents used
  • Work regulations in the IT system


An exemplary necessity classification:

  • Necessary - elements without which the company's operation is impossible
  • Important - elements whose tasks can be performed by other means, but with additional effort and cost
  • Essential - elements whose tasks must be divided due to the amount of information
  • Supportive - elements whose tasks can be performed with the use of other tools with little additional effort and resources


Examples of policy-defined security levels:

  • Critical level - covers data and equipment, the damage of which may cause a breakdown in the functioning of the company
  • High level - covers data and equipment, the damage of which may cause significant difficulties in the normal functioning of the company
  • Average level - covers data and equipment, the loss of which will slightly affect the functioning of the company
  • Low level - protects data and equipment, the loss of which may cause only minor damage, without affecting the functioning of the company


Recommendations and procedures included in the security policy

  • Concerning the administration of ICT systems
  • Concerning the use of ICT systems (e.g. installing software, defining passwords, reading external media and destroying data carriers)
  • Concerning the recruitment and dismissal processes of employees and the storage of their data (department


Specimens of documents included in the security policy

  • Confidentiality statement for employees using remote
    access to company resources (vpn)
  • Confidentiality statement for people from outside the company using the temporary
    remote or local access to perform the contracted work
  • Company secrecy declaration
  • work regulations in the IT system


Company secret

  • One of the tasks of the security policy should be the protection of company secrets
  • A trade secret consists of undisclosed technical, technological or organizational information and information of economic value, for which
    the employer has taken the necessary steps to maintain their confidentiality. It is therefore information unknown to the general public or persons who, due to their profession or activity, are interested in having it.
  • Legal basis: the Labor Code (Journal of Laws of 1998, No. 21, item 94, as amended), the Act on Combating Unfair Competition (Journal of Laws of 2003, No. 153, item 1503, as amended). d.)