Sample data transfer and storage policy template

finger-on-tablet-2

Storing and transferring data has never been easier for workers – or more dangerous. Here is a sample policy you can build off of in order to set rules and best practices for how users can transfer sensitive information without letting it fall into the wrong hands. 

Storing and transferring work data policy

Employees at Company XYZ are given a variety of resources to do their jobs efficiently and effectively. But it’s important that these resources are carefully guarded.

Storing, transferring and sharing company information comes with risks. It can result in data breaches (in which company data is released to people outside of the organization or employees of the organization who haven’t been granted access to it), data theft (in which hackers steal information for financial gain or to gather intelligence) and misplaced data (in which original files become lost or unavailable).

The purpose of this policy is to ensure that data is kept available only to current employees of Company XYZ who have been pre-approved to possess it.

1. Email

All data sent over email (as an attachment or in an email text) should be considered sensitive and protected as such. Never send work documents or information to someone outside of the company unless it has been cleared by a manager and IT. This includes forwarding company emails to your own personal email account.

Note: Not all users within Company XYZ have access to the same information. Before sending data or files to a co-worker in an email, check with your manager to be sure the recipient is allowed to have access to it.

2. Cloud storage and cloud applications

We appreciate that workers may sometimes need access to work outside of the office from home, mobile devices or company equipment on the road. However, work information should never be stored or shared to personal cloud accounts or applications, such as iCloud, Google Drive, Box, Dropbox, Microsoft OneDrive, etc. 

Should you need to store or backup data online, IT has approved the following services for doing so:

  • [list services, their URLs or locations here if you have approved cloud services]

If you would like guidance on how to use these services, IT would be happy to assist. And if you have any questions on whether a service is appropriate to use, ask IT before using it.

[Note: You may also want to provide the steps needed for getting approval for a new cloud service if applicable.

For a complete policy template for cloud storage and applications, click here.]

3. Physical storage devices

Storing work data on physical devices, including but not limited to USB drives, memory cards, CD or external hard drives, must be pre-approved by IT.

  • Employees of Company XYZ must only use devices provided by the company unless otherwise given permission.
  • NEVER use or even plug in a USB drive that you have found or been given as a promotional item. These devices may contain hidden malware or viruses.
  • Lost or stolen devices must be reported to IT and a manager immediately to help ensure their safe return and prevent a data leak.

4. Social media for work data

Work data or information must never be shared over social media accounts such as Facebook, LinkedIn, Google Plus, etc.

[If your company offers an internal social network or collaboration platform, include its policies and rules for usage here.

For a complete social media policy template, click here.]

5. Encryption

While encrypting data may not prevent a data breach, it can help ensure that if information falls into the wrong hands it can’t be read or used.

Company XYZ requires the following types of information to be encrypted: [List information here.] If information is required to be encrypted, it must be protected by a strong password and should never be copied or shared in a way that would make it available outside of the encryption process.

Whenever you have any doubt or questions on data transfers, contact IT before doing anything else. We will be happy to help you and guide you through the process.