Acceptable Use Policy
This policy is a pretty straightforward set of rules that define what is allowed and what is not allowed on company equipment and resources. Typically the Acceptable Use Policy covers things that are prohibited and the consequences received, such as software pirating or accessing inappropriate web-content. The Acceptable Use Policy isn't designed to make employees feel like prisoners however, it just sets the boundaries for productive and acceptable work habits. For example, you may allow employees to make send text messages or use Facebook as long as it doesn't interfere with day-to-day business and work still gets done.
Password policies can typically be set up on your server to enforce a minimum length and the types of characters required in the password. This policy can also dictate how often passwords need to be changed. It is also a good idea to tack on a number for how many unsuccessful login attempts are made before the account is locked out.
Storage and Retention Policy
Data, both digital and hardcopy, can pose a security risk when not archived and organized properly. These policies detail things from file structure to how long certain data is retained. Some industries have their own sets of laws for data retention, for example a legal office may be required to keep customer records for a certain number of years. When possible, it's recommended to go beyond the minimum requirement and have better than the recommended security just to be on the safe side. Data backup plays a huge role in this policy, and it is important to have a structured plan in the event of a disaster or hardware malfunction.
It is important to clearly define what information is considered private and what data is not considered private. You will want to enforce privacy that at least complies with legal regulations, which may vary depending on your business. Privacy Policies include data collection as well.
Incident Response Policy
This is the emergency policy. Just like you should prepare for bad weather with flashlights and batteries, preparing for a security incident should be done in advance. The policy should cover multiple types (or levels) of instances and how to handle each. Address the basics such as hardware outages, data theft, data leaks, and failure to comply with other policies. Proper planning and definition will keep downtime to a minimum.
Social Media Policies
If your security policies aren't laid out and organized, or they aren't kept up to date with regular revisions as the company changes and grows, you risk potential chaos, customer dissatisfaction, and worse, legal issue. Have a suggestion to add for other Southern California small businesses? Let us know in the comments!