To say the world has changed a lot over the past year would be a bit of an understatement. From a cybersecurity standpoint, the changes have been significant\u2014in large part because many people continue to work from remote locations or alternate between home offices and corporate facilities. Organizations are also using more cloud services and are engaged in more ecommerce activities.All this change means it\u2019s time for enterprises to update their IT policies, to help ensure security. Here are some of the more important IT policies to have in place, according to cybersecurity experts.Acceptable useAn acceptable use policy outlines what an organization determines as acceptable use of its assets and data, and even behavior as it relates to, affects, and reflects the organization. \u201cThe acceptable use policy is the cornerstone of all IT policies,\u201d says Mark Liggett, CEO of Liggett Consulting and a longtime IT and cybersecurity expert. \u201cThis policy explains for everyone what is expected while using company computing assets.\u201dSuch a policy provides a baseline that all users must follow as part of their employment, Liggett says. \u201cIf you have no other computer-related policy in your organization, have this one,\u201d he says.By providing end users with guidance for what to do and limitations on how to do things, an organization reduces risk by way of the user\u2019s actions, says Zaira Pirzada, a principal at research firm Gartner.Data classificationA data classification policy is one of the most critical components of an information security program, yet it is often overlooked, says Pirzada. \u201cWithout good, consistent classification of data, organizations are unable to answer important questions like what their data is worth, how they mitigate risks to their data, and how they effectively monitor and manage its governance,\u201d he says.Business decisions makers, who are now distributed across organizations and beyond the traditional network perimeter, need guidance from IT on how to make informed risk decisions when transacting, sharing, and using sensitive data. To provide that, security and risk management leaders would benefit from the creation of a data classification policy and accompanying standards or guidelines. \u201cTogether, they provide both the compass and the path towards the secure use, storage, treatment, and transaction of data,\u201d Pirzada says.Remote accessHaving a clear and effective remote access policy has become exceedingly important. As many organizations shift to a hybrid work environment or continue supporting work-from-home arrangements, this will not change. \u201cA remote access policy defines an organization\u2019s information security principles and requirements for connecting to its network from any endpoint,\u201d including mobile phones, laptops, desktops and tablets, Pirzada says.The purpose of such a policy is to minimize risks that might result from unauthorized use of company assets from outside its bounds. \u201cThose risks include the damage, loss, or misuse of sensitive data and\/or systems, of which the repercussions are significant,\u201d Pirzada says.Incident responseHow should an organization respond to an incident such as a data breach, hack, malware attack, or other activity that presents risk? The answer could mean the difference between experiencing a minor event or suffering a catastrophic blow to the business.\u201cAccidents, breaches, policy violations; these are common occurrences today,\u201d Pirzada says. \u201cAn incident response policy is necessary to ensure that an organization is prepared to respond to cyber security incidents so to protect the organization\u2019s systems, data, and prevent disruption.\u201dA policy ensures that an incident is systematically handled by providing guidance on how to minimize loss and destruction, resolve weaknesses, restore services, and place preventative measures with the aim to address future incidents, Pirzada says. \u201cThis policy should detail the required controls for incident handling, reporting, monitoring, training, testing and assistance in addressing incident response,\u201d he says.The incident response plan is a live document that needs review and adjustments on an annual basis, if not more often, Liggett says. It should detail the roles and responsibilities in case of an incident and define levels of an event and actions that follow, including the formal declaration of an incident, he says.The plan brings together company stakeholders including human resources, legal counsel, public relations, management, and insurance, Liggett says. \u201cThis understanding of steps and actions needed in an incident reduces errors that occur when managing an incident.\u201d The plan also feeds directly into a disaster recovery plan and business continuity, he says.Disaster recovery\/business continuityThe disaster recovery and business continuity plan (DR\/BC) is one of the most important an organization needs to have, Liggett says. As with incident response, these plans are live documents that need review and adjustments \u201con an annual basis if not more often,\u201d he says. \u201cThese plans should include the routine practice of restoration and recovery.\u201dThe plans also are crucial as they outline orchestration of multiple events, responsibilities, and accountability in a time of crisis, Liggett says. \u201cOne of the main reasons companies go out of business after a disaster is a failure of the recovery and continuity plans.\u201dThird-party riskA third-party security policy contains the requirements for how organizations conduct their third-party information security due diligence. \u201cThird-party risk policy and procedures continue to grow in importance, with higher levels of collaboration outside of the organization and the increased risk it may bring to systems,\u201d says Pete Lindstrom, vice president of security strategies at International Data Corp. (IDC).The purpose of this policy is \u201cto gain assurance that an organization\u2019s information, systems, services, and stakeholders are protected within their risk appetite,\u201d Pirzada says. \u201cThe importance of this policy stems from the now common use of third-party suppliers and services.\u201dThese include cloud services and managed service providers that support business-critical projects. \u201cThese relationships carry inherent and residual security risks,\u201d Pirzada says. \u201cA third party may have access to critical systems or information, which necessitate controls and mitigation processes to minimize those risks.\u201dCompanies are more than ever connected by sharing data and workstreams with their suppliers and vendors, Liggett says. \u201cThe need for this policy should be easily understood and assures how data is treated and protected while at rest and in transit,\u201d he says. The policy should feature statements regarding encryption for data at rest and using secure communication protocols for data in transmission.International travelIt might not be something people would think about including on an IT policy list, especially during a pandemic, but knowing how to properly and securely use technology while traveling abroad is important. The state of Colorado is creating an\u00a0international travel\u00a0policy that will outline what requirements\u00a0must be met, for those state employees who are traveling internationally\u00a0and plan to work during some part of their trip,\u201d says Deborah Blyth, CISO for the state.\u201cThis policy will include things such as getting the travel pre-approved by the individual's leadership, information on which international locations they plan to visit, and a determination and direction on whether specialized hardware may need to be issued to accommodate that travel,\u201d Blyth says.For instance, \u201cfor some countries where the device being copied or malware being installed is a high-risk threat, the state will likely issue a loaner device, which will have no state data to begin with, and will be wiped immediately upon return,\u201d Blyth says.