Password Policy: It is recommended to have different combination of letters and digits in a password. The password also has 8 alphanumeric characters (considered to be minimum length required for a password). This would make the password difficult to guess. Other options are too easy to guess by a professional hacker.
Most organization specify password policy, such as:
1. The use of both upper-case and lower-case letters (case sensitivity)
2. Inclusion of special characters, such as @, #, $
3. Prohibition of words found in the dictionary
4. Prohibition of use of company name or an abbreviation
5. Prohibition of passwords that match the format of calendar dates, license plate numbers, telephone numbers, or other common numbers
6. Ensure that the users change the passwords at regular intervals
7. Ensure that the length of the password is above certain minimum characters/digits.
Sometimes, systems create the password for the users or let the user select one of a limited number of displayed choices.
The security policy should clearly state that no one is ever allowed to share his/her password with anyone else.
Secondly, the security policy should state that the help desk can only change or assign a new password after positive identification of the individual requesting the information.
Incident Response Policies
An acceptable use policy (AUP): AUP is a document that outlines a set of rules to be followed by users or customers of computing resources, which could be a computer network, website or large computer system. An AUP clearly states what the user is and is not allowed to do with these resources. It is a simple set of rules that defines how the computer equipment and network can be used. It is generally a very small document that a new employee can read and understand very quickly, so they know what they are signing in.
Data Loss Prevention (DLP): DLP is a set of tools and processes used to ensure that sensitive data is not lost, misused, or accessed by unauthorized users. DLP software classifies regulated, confidential and business critical data and identifies violations of policies defined by organizations or within a predefined policy pack, typically driven by regulatory compliance such as HIPAA, PCI-DSS, or GDPR
NDA: NDA short for Non Disclosure Agreement, is an agreement, which sets out the silence on negotiations, negotiation results or confidential documents. A non-disclosure agreement may be unilateral or bilateral, that is it may bind only one party or multiple parties.
Service Level Agreement (SLA) is an agreement between client and service provider for recurring services. The aim is to make the control options for the customer transparent by guaranteed performance characteristics such as scope, reaction time and speed of processing which are described in detail.
Consent to monitoring policy: In which employees and other network users acknowledge that they know they're being monitored and consent to it.
Network policies describes acceptable uses for the network resources.
BYOD (bring your own device): The practice of allowing the employees of an organization to use their own computers, smartphones, or other devices for work purposes. is the increasing trend toward employee-owned devices within a business. Smartphones are the most common example but employees also take their own tablets, laptops and USB drives into the workplace.
