Learning Center Home > Data Security > Policies and Procedures

Policies and Procedures

Data Security

The following information is a part of our free cybersecurity and compliance Academy course.

Free Data Security Education

Sign Up for Academy

Policies and Procedures Overview

Having issues accessing the video above? Watch the video here.

A lot of your data security and compliance process should be spent on documenting your policies and procedures. These documents will serve as the foundation for data security at your organization. They’ll be used for compliance, employee training, and most importantly, setting the tone for your security culture.

In our policies and procedures section, we’ll discuss things like:

  • Firewall rules

  • System hardening standards

  • Data retention policies

  • And of course, password policies.

We’ll also talk about the data security compliance mandates you may be required to follow—like PCI, HIPAA, and GDPR.

You’ll learn what documentation you need to create, and why you need it. We’ll also cover employee policies about passwords, access, and mobile devices.

To get started on your policies and procedures, take a few minutes to read the following sections and note the areas where you’re lacking. And most importantly, make updating your policies and procedures a regular, scheduled event.

Security Policy Documentation

Having issues accessing the video above? Watch the video here.

First, your security policies and procedures should be written down and easily accessible to all employees. 

Security policies may help protect your business from potential liability in the event of a breach, as thorough and accurate documented security policies and procedures help forensic investigators see what security measures your company has in place. However, the main purpose of a documented security policy is to help you avoid a data breach.  

Documents you’ll want to include in your security policy:

  • Employee manuals/handbook

  • Policies and procedures

  • Risk analysis/assessment

  • Risk management plan

  • Lists of third-party vendors (and what they do for you)

  • Lists of employees and their access to systems

  • Third-party vendor agreements

  • Inventory of all devices including physical location, serial numbers, and make/model

  • Incident response plans

Regularly updated documentation of all security measures and actions is key.

Your documentation should answer questions, such as: 

  • What are your risks and vulnerabilities?

  • How secure are your workstations?

  • Does your staff understand how to safeguard sensitive data?

  • What is the state of your location’ s physical security?

  • How does BYOD (“ bring your own device” ) factor into your security strategy?

  • Who are the responsible parties for your data security?

  • How are systems configured?

  • What is your authorization and approval processes?

In order to keep your security documentation up to date, you must constantly revise and add to it.

Just like all your other weekly activities, documentation should be an ongoing part of your entire business-as-usual security strategy. Try to examine and adjust at least one piece of documentation each week or as you make organizational updates. Don’ t pile it into one day or one month at the end of the year.


Need Security Consulting?

Request a Quote

Password Policies

Having issues accessing the video above? Watch the video here.


Unknown to many organizations, devices are often installed and used without changing their default passwords.

However, most default passwords and settings are well-known throughout hacker communities and are easily found via a simple Internet search. When defaults aren’t changed, it provides attackers an easy gateway into a system. Changing vendor defaults on every system with sensitive data (or in network zones where sensitive data exists) protects against unauthorized users.

In one SecurityMetrics forensic investigation, it was discovered that a third-party IT vendor purposely left default passwords in place to facilitate easier future system maintenance. Default passwords might make it easier for IT vendors to support a system without having to learn a new password each time; but convenience is never a valid reason to forgo security.


Even if default passwords are changed, but a username and password aren’t sufficiently complex, it will be that much easier for an attacker to gain access to an environment. An attacker may try a brute-force attack against a system by entering multiple passwords (via an automated tool entering thousands of password options within a matter of seconds) until a password works.

Remember, secure passwords should be at least 8 characters long, and include an upper and lower-case letter, number, and special character. Passwords that fall short of these criteria can easily be broken using a password-cracking tool. In practice, the longer a password is and the more characters it has, the more difficult it will be for an attacker to crack.

An easy way to remember complex passwords is by using passphrases. Pass phrases are groups of words with spaces in between (e.g., “We Never Drove Toward Vancouver?”). A passphrase can contain symbols, upper- and lower-case letters, and it doesn’t have to make grammatical sense.

Passphrases are generally easier to remember, but harder to crack than passwords.

In addition to strong passphrases, password management software can help you use different passwords for all your accounts. Some password managers can even work across multiple devices and sync across the Cloud.

You really need different passwords for different services, so if one service gets compromised, it doesn’t bleed into other passwords for other sites. For example, if your email account password is compromised and you use the same password across devices and websites, you have a major security problem on your hands.

Although organizations may have ID credential policies in place--such as requiring each employee to use a unique ID credential and complex password, employees often don’t follow these policies. Employees might have unique ID credentials, but they often share it with other workforce members, thinking that they can share usernames and passwords with individuals who have access within their system, such as co-workers, IT providers, and receptionists.


You should also establish an account lockout that is set to six consecutive failed login attempts within at least a 30-minute period. Requiring an administrator to manually unlock accounts will prevent attackers from guessing hundreds of passwords consecutively. If an attacker only has six chances to guess the correct password, their attempts will likely fail. Once locked out, they will move on to an easier target.

Convenience is never a valid reason to forego security.



Limit Access

Having issues accessing the video above? Watch the video here.


You should have a role-based access control (RBAC) system in place, which grants access to sensitive data and systems to individuals and groups on a need-to-know basis. Configuring administrator and user accounts prevents exposing sensitive data to those who don’t have a need to know.

You should have a defined and up-to-date list of the roles with access to sensitive data. On this list, you should include each role, the definition of each role, access to data resources, current privilege level, and what privilege level is necessary for each person to perform normal responsibilities. Users must fit into one of the roles you outline.

You also need to think about staff members who change roles within your organization and when they no longer work for your organization.

User access isn’t limited to your normal office staff. It applies to anyone who needs access to your systems or the area behind the desk, like that IT guy you hired on the side to update your software. You need to define and document what kind of user permissions they have.

Have a defined and up-to-date list of the roles with access to systems with access to sensitive data.


Electronic systems access: Usernames are a great way to segment users by role. It also gives you a way to track specific user activity. The first question you need to ask yourself is, does each staff member have a unique user ID? If not, that’s a great place to start.

Physical access: Make sure anyone not on your regular staff is escorted around the office by a staff member. Visitors should be ID’ed and logs should be kept that document details such as their name, the reason for being at your organization, what company they’re from, time they entered, and when they left.



SecurityMetrics Podcast: The latest in data security and compliance


Mobile Device Security

Having issues accessing the video above? Watch the video here.

Mobile devices require additional security measures to make sure sensitive data is protected. Companies often forget about mobile devices--such as phones or iPads–when writing security policies and procedures. It’s potentially difficult to apply a policy written for workstations and laptops to a mobile device. You need to address their security issues separately.

In addition, when an organization uses their own personal smartphone or tablet to access data, these devices are vulnerable due to other apps on the device. With each downloaded app, your risk grows.

Think about others accessing that mobile device outside the office. For example, sometimes employees let their kids play with their personal or work smartphone, then someone accidentally downloads a malicious app that can read the keyboard patterns of a user. The next time that employee uses the mobile device in your network, that malware may steal passwords to your systems.

To address these concerns, consider using the National Institute of Standards and Technology (NIST) mobile guidelines for security engineers and providers.



There are some obvious things you should and shouldn’t do with your sensitive data while using your mobile device. For example:

  • Accept OS and app updates immediately. Just like computers, mobile devices must be patched often to eliminate software or hardware vulnerabilities found after initial release.

  • Use discretion when downloading apps. Even if apps look legitimate, they may be infected with malware that could compromise data and cause a serious data breach.

  • Don’t jailbreak your device. Jailbreaking your device makes your device less secure. While this may let you do more with your device, it also leaves it more vulnerable to attacks.

  • Make sure the devices you plug your mobile device into (e.g., your home computer, work laptop) are secure. If your computer/network isn’t secure, it could act as a portal for hackers to gain access to your mobile device.

  • Implement a 10-character password/pin with a special character, letters, and numbers on your mobile device, where applicable.

  • Connect to your sensitive environments (such as your CDE or EMR/EHR via secured remote access, either through a virtual private network (VPN) or using multi-factor authentication (MFA).

  • Encrypt your data. If you have sensitive data on your mobile device, make sure it’s encrypted.

  • Use mobile vulnerability scanning. A vulnerability scanner like SecurityMetrics Mobile for your mobile device can help discover weaknesses.

  • Establish mobile device policies. Whether your company owns the devices or your employees use their own devices, you need to have security policies set up that address the use of mobile devices.

  • Train employees on mobile device policies and security best practices. Your employees should know about malware and take the right measures to avoid it.

  • Remote wipe devices immediately after they have been lost and/or stolen, when applicable. This remotely erases the sensitive data on mobile devices.

If you don’t secure mobile devices, your organization’s sensitive data is at risk. Even though it can be hard to fit mobile devices into a traditional network or data security model, you need to consider them in your information security planning.



Need Security Training for Your Team?

Start Here

Employee Training

Having issues accessing the video above? Watch the video here.

Although most workers aren’t malicious, they often either forget security best practices or don’t know what they’re required to do.

Unfortunately, many hackers will take advantage of human error to gain access to sensitive data. For example, when workforce members leave mobile devices in plain sight and unattended. Hackers may access networks because workforce members set up easy-to-guess passwords. And the list goes on.

 By holding your employees accountable, you can protect your business and customers more effectively.

To help protect sensitive data, employees need to be given specific rules and regular training. Regular training will remind them of the importance of security and keep them up to date with current security policies and practices. Here are some tips to help employees protect your sensitive data:

  • Set monthly training meetings: Focus each month on a different aspect of data security, such as passwords, social engineering, email phishing, etc.

  • Give frequent reminders: These could be sent out in an email, newsletter, during standup meetings, and/or security webinar that includes tips for employees

  • Train employees on new policies ASAP: Newly hired employees should be trained on security and compliance policies as quickly as possible

  • Make training materials easily available: Intranet sites are a great way to provide access to training and policy information

  • Create incentives: Reward your employees for being proactive

  • Regularly test employees: Create an environment where employees aren’t afraid to report suspicious behavior

  • Leverage technology: Whenever possible, technical security controls should be put in place to provide a safety net in case training fails



Physical Security

Having issues accessing the video above? Watch the video here.


Employees may think physical security only applies after hours. However, most data thefts occur in the middle of the day, when staff is too busy with various assignments to notice someone walking out of the office with a server, company laptop, phone, etc.

The best way to control physical threats is through a physical security policy that includes all rules and processes involved in preserving onsite business security. For example, if you keep confidential information, products, or equipment in the workplace, keep these items secured in a locked area. If possible, limit outsider access to one monitored entrance, and (if applicable) require non-employees to wear visitor badges at all times.

Don’t store sensitive information (like payment card data) out in the open. For example, many hotels keep binders full of credit card numbers behind the front desk, or piled on the fax machine, for easy reservation access. Unfortunately, the collection of files not only makes life easier for employees, but it puts criminals within reach of data at front desks or fax machines.

Employee access to sensitive areas should be controlled and must be related to an individual’s job function.

Unfortunately, many organizations don’t worry as much about the physical aspect of their security. While they may address many foundational security issues, they’re likely to overlook details such as:

  • Unlocked office/storage doors

  • Window blinds

  • Reception desks

  • Lack of screen savers and privacy monitors

  • Theft of devices/hardware

  • Malware in left-behind devices

The majority of physical data thefts take than only minutes in planning and execution.

You also need to control employee access to sensitive areas, which should be related to an individual’s job function. You should document:

  • Who has access to secured environments and why they need this access

  • What, when, where, and why devices are used

  • A list of authorized device users

  • Locations where the device is and is not allowed

  • What applications can be accessed on the device

Access documentation must be kept up to date, especially when individuals are terminated or their job role changes.

Best practice is to not allow mobile devices to leave the office, but if they must, consider attaching external GPS tracking technology, plus installing and enabling remote wipe on all laptops, tablets, and smartphones.

In addition, make sure all workstations have an automated timeout or logout on computers and devices, that’s when a password-protected screen saver pops up on a computer after a set amount of time. This helps to discourage thieves from trying to access data from these workstations when employees aren’t there.



Download the latest guide to PCI compliance

Download Now

System Configuration

Having issues accessing the video above? Watch the video here.


App developers will never be perfect, which is why updates to patch security holes are frequently released. Once a hacker knows they can get through a security hole, they pass that knowledge on to the hacker community, which then could exploit this weakness until the patch has been updated.

Quickly implementing security updates is crucial to your security posture. Patch all critical components in the card flow pathway, including:

  • Internet browsers

  • Firewalls

  • Application software

  • Databases

  • POS terminals

  • Operating systems

Older Windows systems can make it difficult for organizations to remain secure, especially when the manufacturer no longer supports a particular operating system or version, for example Windows XP and Windows Server 2003. Operating system updates often contain essential security enhancements specifically intended to correct recently exposed vulnerabilities. When using an unsupported operating system that doesn’t receive these updates and patches, your vulnerability potential increases exponentially.

Be vigilant about consistently updating the software associated with your system. Organizations should set up policies to install critical patches within a month of release. Don’t forget about other critical software like credit card payment applications or other non OS components. To stay up to date, ask your software vendors to put you on their patch and upgrade notification list.

Keep in mind that the more systems, computers, and apps your company has, the more potential vulnerabilities it may be exposed to.

Another way to stay on top of vulnerabilities is through vulnerability scanning, which is arguably the easiest way to discover software patch holes that cybercriminals would use to exploit, gain access to, and compromise your organization.


Any system with access to sensitive data needs to be hardened before use; the goal of hardening a system is to remove any unnecessary functionality and to configure the system in a secure manner.

Organizations should address all known security vulnerabilities and be consistent with industry-accepted system hardening standards. Some good examples of hardening guidelines are produced by:

  • Center for Internet Security (CIS)

  • International Organization for Standardization (ISO)

  • SysAdmin Audit Network Security (SANS) Institute

  • National Institute of Standards Technology (NIST)


Don’t forget to develop and test applications in accordance with industry accepted standards like the Open Web Application Security Project (OWASP).

Be vigilant about consistently updating the software associated with your system.


In addition to updating and securing applications, you should implement web application firewalls (WAFs) in front of public-facing web applications to monitor, detect, and prevent web-based attacks. They can also be used when performing application security assessments. Remember, these web application firewall solutions typically don’t perform the many functions of an all-purpose network firewall (for example, network segmentation), but they specialize in one specific area: monitoring and blocking web-based traffic.


  • They have an immediate response to web application security flaws

  • They provide protection for third-party modules used in web applications

  • And they can be deployed as reverse proxies


  • They require more effort to set up

  • They possibly break critical business functions (if not careful)

  • And they may require some network re-configurations



Policies and Procedures Quiz

Question 1:

What is an example of a WEAK password? (Choose only ONE best answer.)

  1. Q1p0z2m9%@

  2. ILikeEatingOranges34^

  3. qwerty

Question 2:

You should train employees on… (Choose only ONE best answer.)

  1. Social selling

  2. Social policies

  3. Social engineering

Question 3:

Your organization should review its security policies and procedures… (Choose only ONE best answer.)

  1. Every five years

  2. Every other year

  3. Annually

Question 4:

Where should sensitive information (like payment card data) be stored? (Choose only ONE best answer.)

Choose only ONE best answer.

  1. Behind the front desk (out in the open)

  2. Piled on a fax machine

  3. Kept in a locked, secure area

Answer Code: Q1: 1, Q2: 3, Q3: 3, Q4: 3

Free Data Security Education

Sign Up for Academy