Are your IT policies strong enough? Chances are, probably not

We reviewed the results of cyber checkups after the program’s first year. We identified the topics that most local governments need to improve. The most common was needing to implement or improve IT policies. We first published this article in October 2023, but due to its importance, we’re republishing it as a reminder. Also, keep a watch for an upcoming article that reviews results from the cyber checkups.

Information technology policies and procedures work together with your technical security controls to protect your government’s sensitive information from unauthorized access, corruption and loss. While many governments have implemented strong security controls, SAO’s Center for Government Innovation’s cyber checkups have found that most local governments lack strong written policies or are not enforcing them.

An IT policy is a written document that contains behavioral and technical guidelines for how your employees and contractors should use IT resources within your government. It outlines strategies for reducing threats and recovering from actual attacks that could harm your government. It also ensures that your government follows compliance requirements with relevant laws and regulations, such as the Health Insurance Portability and Accountability Act, Payment Card Industry Data Security Standard, and Criminal Justice Information Services.

IT policies are the foundation of almost all the security controls we examine in our cyber checkups. And in nearly every checkup we do, we recommend strengthening existing policies or writing new ones to close gaps.

To help get you started, we’re sharing the top seven policies that your government should have in place. While it may be daunting, there are also a lot of resources to help you, including the Center for Government Innovation.

What policies do you need?

Below, we recommend seven areas that should be addressed either in a single policy or separate ones. Depending on your government, you may want to also consider developing policies for remote access, mobile devices, data retention or vendor management.

• Acceptable use. This policy should outline the acceptable use of your government’s computer equipment and resources. It should also define what inappropriate use is and the risk it may cause.
• Passwords. You should identify your government’s requirements for passwords (e.g., length, complexity), how often they must be changed, reuse of passwords and prohibited passwords.
• Incident response. A key component of your policy should include information on how to respond to a data breach or other cybersecurity incident, including who is in charge, who should be notified, and steps to take to minimize harm.
• Email. Considering everyone in your government likely uses email, you should have a policy that describes the appropriate use of government-issued email accounts and addresses the use of personal, third-party email like Gmail.
• Personal device use. Identify restrictions on employees’ personal devices and circumstances under which they can connect them to your government’s network.
• Use of multifactor authentication (MFA). To help secure your staff’s login credentials, your policies should cover the circumstances and specific types of accounts (such as IT administrators versus all employees) must use MFA.
• Social media accounts. If your government uses social media, you should have a policy that describes acceptable use for social networking, as well as who can access and post on your government’s social media accounts.

Once you have written your IT policies, decide how and when to share them with employees. Consider including your IT policy in your onboarding process for new employees, as well as requiring staff to take mandatory training or regular refreshers. In some cases, you might require employees to sign a copy of the policy as an acknowledgment they have read and agree to abide by it. We recommend you review your IT policies annually and update them as necessary.

Resources for writing your IT policy

• The SANS Institute offers policy guidance and sample language for a variety of different types of IT policies.
• The Center for Internet Security has a guide you can download with links to dozens of IT policy templates.
• If you work with a managed service provider, it may be able to provide IT policies that your government can adopt and implement.

Ready for a checkup?

The Center’s cyber checkups provide a fast, free and independent assessment of your government’s vulnerability to common threats, along with actionable steps you can take to improve your overall cyber health. Contact us today to schedule your cyber checkup!

How to reach us for more assistance

Do you have questions about cybersecurity? SAO’s Center for Government Innovation’s cybersecurity specialist is available to talk with you about best practices and resources. For assistance, reach out to us at Center@sao.wa.gov.