Designing an IT policy for small businesses.


I have several small business user clients  (about 10 users) some of which are growing quite quickly. At the moment i have not enforced any policies regarding IT but now is the time to do that and i particularly want to have some in place which increases security and protection of business data.  There is a wealth of information out there of course but i would like have a good template to start from and then i can adapt it to my client's requirements. Could someone point me in the right direction?

DominicIT ConsultantAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Besides the obvious rules you read in most dummy books (users cannot be admin, close outgoing email port 25 except for the mail server, etc), I usually add one restrictions:
- Users cannot execute ANY script/program OTHER than already installed (Software restriction policy). You'll thank me later when another cryptoware didn't run (which you'll only notice if you add extra logging)

What I'd recommend would entirely be based on what skills and resources you have, regarding securing networks. Could you describe these?
Andy MIT Systems ManagerCommented:
I would say this is something you'd need to discuss with the owners of said businesses individually rather than setting a global IT policy for all your clients as each one would have different views on what they class as secure and acceptable.

IT policies can include a large area of security related material and would differ from client to client depending on what hardware/software they have, what they do, etc.

I would start by doing a basic security report for the client - point out the current settings, why they may cause a risk and recommendations for securing that area. From there discuss with the client accordingly and implement policies based upon what is agreed. You won't cover every conceivable security risk, but a good base can be achieved for that client's IT security policy. Note that some parts of IT security policy are not something that can be enforced by you alone (i.e. Staff leaving post-it notes with passwords on monitors, sharing passwords between themselves, etc).
Cloud as a Security Delivery Platform for MSSPs

Every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. View our on-demand webinar to learn more!

Keep in mind that in this scenario IT security policies protect two parties - the client, and you! The point has been fairly made that you can't have a one-size-fits-all security policy template, but certain basic steps are common to pretty much all IT systems.

In a world where convenience trumps security more often than not, it's important to have on record the security recommendations that you make to every client so that when Bad Things happen you can point out that they had been given the information but declined to implement it.
btanExec ConsultantCommented:
It is a small business based so you need to identify firstly your key asset and business services. Make those into the policy definition including the stakeholder involved like the CXO suite, data/system custodian, end user. You will need to state the role and responsibilities clearly. Primarily, it aet the basic statement for user acceptance policy.

With that it is time to look into the protection strategy and personnel security
 For the former, you should be covering the endpoint machines and network protectionon the security baseline needed. The gist is to protect your key asset withproper change and patch management. Personnel security can define the onboarding, during and after engagement with contractors and user oversight needed. Importantly least privileges and role based assignment is advised.

The next section is on access control and monitoring which the former deals with ensuring accounts and identity are duly reviewed and managed regularly. The monitoring will need your advice to review the alertness in your looking after and response in time of incident. The following on section will then covers the incident management aspects.

These are high level objective the policy seek to address and give the direction. And put forth a security plan. Related articles below for additional references.
DominicIT ConsultantAuthor Commented:
Hi everyone - apologies for late response on this one - travel and work interrupting . I am just digesting your replies and will write a more comprehensive reply in the next 24 hours .

DominicIT ConsultantAuthor Commented:
Hi - that was an extended 24 hours . Luckily none of you were counting .
Most of the clients in question are small businesses that I have assisted with maintaining their IT infrastructure for over 15 years. Hence I have a good intimate knowledge of their systems having built most of it. What I
Am bad at still after 20 years in the industry is cataloguing information and passing on written policies to clients - as one of you pointed out , convenience often  trumped security - I have over the last 2 years Changed that because of the onset of ransomware really scaring the hell out of me so I apply standard user rights to my clients pcs for example. But of course there are so many other layers to consider. Password complexity , how often does it need changing etc . In an enterprise I can understand how this is really necessary but in a small business it becomes tiresome to do this. Nonetheless some clients are willing to have policies clearly stated and which can be built on with time. This is why I am looking for a a general template to work from , a checklist what have you which asks whether each layer has been examined . It is very likely that I have applied policies in place in similar manner to many of yourselves but I don't have it organised in a logical manner and that's the part where I want to start. My initial idea was to treat it like an onion starting with the outer layer , applying policies for teleworkers, byod, smartphones that come and go out of the network. Then slowly work inwards via the perimeter of the wireless connection , onto ports on pcs through to logons themselves etc...
what do you think ?
btanExec ConsultantCommented:
IT policy is good if there is governance body overseeing it. It needs to be owned by the company and strictly speaking not you as external party. There is need for this body to form a IT steering committee tjat holds regular meeting with update on the policies matter and even IT initiatives.

In short, without which the IT policy is just paper play. The baseline standards remain good to have which defeat your purpose to have a consistent setting controlled and complied with. Audit will also come in. Have to build on consensus to have this going...stakeholder engagement.

Let say, if all is well then ransoware strategy as part of the policy can ne supported. Here are two good references
And the cybersecurity framework

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DominicIT ConsultantAuthor Commented:
Thanks BTan and everyone else. Clearly not a simple answer to this but i have gleaned enough information to start with something.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.