OPINION: Successful organisations need core IT security polices, as well as the means to monitor employee adherence. How can Australian organisations get it right?

Each organisation needs to identify its specific areas of concern--whether it be to protect information, maximise operational effectiveness, minimise corporate liability or guard against damage to its reputation.

From there enterprises can then figure out the most effective way of dealing with these concerns. This may involve hardware and software solutions, and also company-wide rules about appropriate usage and employee behaviour.

To establish an e-mail policy companies must:

• Show determination in enforcing the policy.
• Be specific about why the policy exists. This could include examples, such as protecting staff and the company against legal threats, preserving company reputation and maintaining IT security.
• Name the individuals responsible for implementing and monitoring policy
• Clearly define what your organisation considers to be appropriate business and personal Internet usage, and the types of files that may not be circulated via e-mail or downloaded/uploaded via the Web.
• Define company policies about the circulation of business material and explain potential pitfalls, such as how to avoid accidental distribution of confidential information and infringement copyright.
• Explain the potential productivity losses, how to avoid them and what the consequences are.
• Provide guidelines on avoiding data theft. This could include how to spot suspicious e-mails, Web pages and cookies.
• Provide guidelines on avoiding viruses.
• Make adherence to IT policies part of the terms and conditions of employment.

Large global organisations will probably find that a 'one size fits all' policy may not work for them. Laws vary between both states and countries, and each location may require its own version of the corporate policy. Many departments across locations--including HR, security, IT and legal--need to be consulted to define, document, maintain and enforce policies.

E-mail policies and related procedures need to be distributed rapidly and reliably throughout the organisation, accompanied by a test program to gauge employee understanding and confirm acceptance.

Setting up an IT security policy can be a daunting process, but it is one which Australian organisations should make sure they tackle.

Chy Chuawiwat is managing director at security vendor Clearswift Asia Pacific. He can be contacted at Chy.Chuawiwat@clearswift.com.au

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.