Designing an IT policy for small businesses.

Besides the obvious rules you read in most dummy books (users cannot be admin, close outgoing email port 25 except for the mail server, etc), I usually add one restrictions:
- Users cannot execute ANY script/program OTHER than already installed (Software restriction policy). You'll thank me later when another cryptoware didn't run (which you'll only notice if you add extra logging)

Hi.

What I'd recommend would entirely be based on what skills and resources you have, regarding securing networks. Could you describe these?

I would say this is something you'd need to discuss with the owners of said businesses individually rather than setting a global IT policy for all your clients as each one would have different views on what they class as secure and acceptable.

IT policies can include a large area of security related material and would differ from client to client depending on what hardware/software they have, what they do, etc.

I would start by doing a basic security report for the client - point out the current settings, why they may cause a risk and recommendations for securing that area. From there discuss with the client accordingly and implement policies based upon what is agreed. You won't cover every conceivable security risk, but a good base can be achieved for that client's IT security policy. Note that some parts of IT security policy are not something that can be enforced by you alone (i.e. Staff leaving post-it notes with passwords on monitors, sharing passwords between themselves, etc).

Keep in mind that in this scenario IT security policies protect two parties - the client, and you! The point has been fairly made that you can't have a one-size-fits-all security policy template, but certain basic steps are common to pretty much all IT systems.

In a world where convenience trumps security more often than not, it's important to have on record the security recommendations that you make to every client so that when Bad Things happen you can point out that they had been given the information but declined to implement it.

It is a small business based so you need to identify firstly your key asset and business services. Make those into the policy definition including the stakeholder involved like the CXO suite, data/system custodian, end user. You will need to state the role and responsibilities clearly. Primarily, it aet the basic statement for user acceptance policy.

With that it is time to look into the protection strategy and personnel security
 For the former, you should be covering the endpoint machines and network protectionon the security baseline needed. The gist is to protect your key asset withproper change and patch management. Personnel security can define the onboarding, during and after engagement with contractors and user oversight needed. Importantly least privileges and role based assignment is advised.

The next section is on access control and monitoring which the former deals with ensuring accounts and identity are duly reviewed and managed regularly. The monitoring will need your advice to review the alertness in your looking after and response in time of incident. The following on section will then covers the incident management aspects.

These are high level objective the policy seek to address and give the direction. And put forth a security plan. Related articles below for additional references.

https://www.experts-exchange.com/articles/31709/Making-The-RIGHT-Security.html

https://www.experts-exchange.com/articles/17367/What-is-a-good-Security-Action-Plan.html

Hi everyone - apologies for late response on this one - travel and work interrupting . I am just digesting your replies and will write a more comprehensive reply in the next 24 hours .

Thanks
D

Hi - that was an extended 24 hours . Luckily none of you were counting .
Most of the clients in question are small businesses that I have assisted with maintaining their IT infrastructure for over 15 years. Hence I have a good intimate knowledge of their systems having built most of it. What I
Am bad at still after 20 years in the industry is cataloguing information and passing on written policies to clients - as one of you pointed out , convenience often  trumped security - I have over the last 2 years Changed that because of the onset of ransomware really scaring the hell out of me so I apply standard user rights to my clients pcs for example. But of course there are so many other layers to consider. Password complexity , how often does it need changing etc . In an enterprise I can understand how this is really necessary but in a small business it becomes tiresome to do this. Nonetheless some clients are willing to have policies clearly stated and which can be built on with time. This is why I am looking for a a general template to work from , a checklist what have you which asks whether each layer has been examined . It is very likely that I have applied policies in place in similar manner to many of yourselves but I don't have it organised in a logical manner and that's the part where I want to start. My initial idea was to treat it like an onion starting with the outer layer , applying policies for teleworkers, byod, smartphones that come and go out of the network. Then slowly work inwards via the perimeter of the wireless connection , onto ports on pcs through to logons themselves etc...
what do you think ?

Thanks BTan and everyone else. Clearly not a simple answer to this but i have gleaned enough information to start with something.