IT Security Policy Consultation

User and Device Policies

All businesses have policies, they are generally written down and define how something is setup/controlled. With the advent of networked computers and cloud computing, it has been possible to encode a written policy into the network. For example, if you mandate that every user in your company must have a 10-character password then you would have a written policy, train your staff and hope this is being complied with. But hope is clearly a weak link, so rather than hope you could use your IT management tool to create a policy that will be enforced on the network. Now you have a written policy, trained staff and enforcement of those policies where appropriate.

One of the baseline steps in securing your business from threats is to have an IT Security Policy, a written document that defines how your business addresses its security risks. The contents of this document are the result of your risk assessment using a tool such as Failure Modes Effects Analysis (FMEA) and/or mandated through a scheme such as Cyber Essentials. This IT Security Policy document is then used to inform staff on your security posture and what you expect from your staff. User and Device Policies are then created on the network to enforce those policies where appropriate.

Example of enforceable policies:


  • A password policy – to define password complexity
  • Standard user – end users do not have administrative rights to their PC
  • Enforced use of Multi-Factor Authentication


  • Hard disk is encrypted
  • Password protected screen saver with xx minutes of inactivity
  • Only domain joined machines can participate on network (no home machines)

There are literally thousands of policies available, it is important to remember that they are there to help enforce your general IT Security Policy.


How Riverbank can help

We can help define your IT security policy or take an existing policy you have and use IT management tools to enforce those policies where appropriate. Related to that is if your business wants to achieve the Cyber Essentials standard Riverbank will take the relevant gap analysis output and use this to update your IT Security Policy and enforce those policies where appropriate.

The key takeaway is understanding the risks your business has by:

  • Conducting a risk analysis/Cyber Essentials
  • Create your company’s IT security policy
  • Train your staff
  • Enforce policy controls where appropriate.
  • Manage and review