Security Glossary

Security Policy

A written document (or set of documents) that outlines an organization's rules, guidelines, and expectations for security. It's essentially the do's and don'ts and the why's for maintaining security in the company.

Security policies can cover a range of topics - acceptable use of company devices, password requirements, data handling procedures, incident reporting steps, etc. For example, a simple security policy might state: "Employees must not share their account passwords; all portable devices must be encrypted; software should only be installed by IT or with IT approval," and so on.

The purpose of having these policies is to ensure everyone is on the same page and to provide a baseline of behavior that protects the company.

In small businesses, policies are often informal or unwritten ("Jeff handles IT and tells people what not to do"), but it's beneficial to document them, even briefly. It helps when onboarding new employees and creates accountability ("you signed that you read the policy"). BrightShield's product provides pre-built templates for common policies (Acceptable Use, Remote Work, Data Protection) to make this easier.

A policy isn't effective if it just sits in a drawer - it should be communicated and updated as needed. But it also shouldn't be overkill: policies for SMBs should be clear, concise, and relevant.

In short, a security policy is the foundation of governance, telling everyone "this is how we do security here."

Category:
Compliance & Governance
Let's Talk

Simplify your security, strengthen your business.

Not sure where to start? Book your free 15-minute chat and we’ll guide you through it.

Book a Call