Baseball is the national pastime of America. The game is pretty simple to follow, but it also has lots of rules. And if you want to play baseball, you must play by the rules. In fact, the Major League Baseball (MLB) rulebook is over 185 pages long! That may seem bureaucratic, but the rules are necessary. The game has to be fair and consistent.
A very well-known rule of baseball is that after a batter has 3 strikes, they’re out. Imagine if that rule was not defined. How many strikes would a batter be afforded before they were called out? Who would make that decision? Rules are necessary if you want to govern the game.
In the same way that games need to be played by the rules, policies help govern the corporate world. Most organizations have a dress code. It is a policy that sets the rules for what employees can and cannot wear to work. Most organizations have a vacation policy. It sets the rules for how employees request time off and how supervisors approve or deny that request. Most organizations have an expense policy. It sets the rules for how employees can appropriately spend company money. Many organizations do not have an information security policy, and there are real consequences suffered as a result.
The absence of a strong information security policy promotes uncertainty and confusion. Employees may not fully understand how to use technology in a safe and secure way. System Administrators are left alone to decide what cybersecurity controls are implemented and how. The organization’s ability to confidently protect itself and continuously reduce risk is jeopardized.
If an employee knows that they can’t wear a bathing suit to work (according to the dress code), then they should also know that they are not allowed to connect to an unsecured wireless network with their company laptop.
A good Information Security Policy provides the following benefits:
- It clearly defines the employee behaviors, business processes, and work procedures that are required to achieve the security posture desired.
- It provides adequate definition and guidance to build and maintain cybersecurity controls that will reduce overall risk.
- It is a tool that supports the organization’s legal and ethical responsibilities.
- It is an accountability instrument that drives individual and organizational compliance with expected behaviors and work procedures.
Baseball players would struggle to play the game of baseball if the rules were not defined. Employees will struggle to protect the organization from cyber threats and vulnerabilities if they are not provided rules and guidelines. That is why an Information Security Policy matters.
For help drafting your information security policy contact TAG Solutions today!