How to Write an Effective Information Security Policy
Does your organization have an information security policy in place? If so, when was it last updated?
Articles published September 29, 2017 by Kai Johnson
An information security policy contains an enforceable set of rules and procedures that aim to protect an organization’s confidential data. The document applies to employees and other users who have access to your digital networks and devices.
This type of policy offers an effective way to communicate what is acceptable in terms of how employees leverage corporate IT assets. This may include rules for internet usage and web browsing. It also states consequences for not following the rules.
Information Security Policy Goals and Objectives
To help determine what to put in your information security policy, it’s important to consider what your organization is trying to accomplish by writing the policy. Here are some common business objectives of organizations that implement these policies.
Objective 1: Access Control
Clearly state in your information security policy that some access to information will be restricted and only granted to those who have a legitimate reason to access it.
Objective 2: Data Classification
There are different classifications of data, such as high-risk data, confidential data, and public data. These should be defined within your policy. List out the processes and details of each classification, and how users should handle each type.
Objective 3: Support and Operations
Clearly state how data is kept secure through anti-malware protection, firewall, encryption, and patches, as well as your data backup and transfer processes.
Objective 4: Security Awareness
Educating your employees about how to securely access company data and files is essential. In addition to describing how to be secure, you should also host mandatory security awareness training sessions to ensure all employees are informed.
Objective 5: Roles and Responsibilities
State the responsibilities and roles that every employee is expected to fulfill upon reading the information security policy. You should clearly state that all users need to comply with the policy and follow the outlined safety procedures and guidelines to keep your organization’s data and devices secure. Describe what actions will be taken by your organization if these procedures and guidelines are not followed.
What to Include in an Information Security Policy
While information security policy details will differ between organizations, there are some fundamentals that apply to any information security policy.
Does your organization have a standard set of password rules? It’s important to include this in your policy. See our recommendations on password requirements.
Terms and Conditions
Include a section with terms and conditions. While these may vary depending on the organization, there are some standard ones you should incorporate.
To protect your organization, use these clauses in your information security policy:
- "Viewing or downloading offensive, obscene, or inappropriate material from any source is forbidden."
- "The storing and transfer of illegal images, data, material, and/or text using this equipment is forbidden."
You should also include clauses that say data security discipline will be observed and monitored, and that access to the internet or email for non-business purposes can be taken away. Mention that you reserve the right to review all internet and email use.
Clearly explain what happens when employees ignore your organization’s information security policy or consciously go against it. There’s a reason for your guidelines and policy, so give them the reasons why these were implemented to protect your network and confidential data. Along with your reasons, tell your employees that failure to abide by these rules will result in some form of serious discipline for misconduct.
Additional Information Security Policy Tips
Here are some additional information security policy tips you should follow.
1. Keep it Clear and Concise
When it comes to creating an information security policy, make it clear and to the point. Avoid unnecessary language. The National Research Council (NRC) states that any company policy should follow this structure:
- Specific goals
- Responsibilities for compliance and noncompliance consequences
2. Adhere To Regulations
An information security policy must also adhere to specific regulations in your industry.
Here are some examples:
- PCI Data Security Standard and the Basel Accords
- Dodd-Frank Wall Street Reform and Consumer Protection Act
- Health Insurance Portability and Accountability Act
- Financial Industry Regulatory Authority
3. Update Periodically
It’s common for organizations to create an information security policy and then fail to keep it updated. When needed, update your policy to include new rules or regulations, and revisit it periodically to change or fix outdated language. This doesn’t have to be too frequent, but quarterly or annual reviews are a good goal for your organization.
Clearly State Expectations
In the end, the goal of an information security policy is to clearly state expectations and rules for how employees should conduct themselves on their devices at work, and protect your organization from data breaches and legal liabilities. It also communicates how company data and devices should be handled so they remain safe and secure.
If you follow the information outlined in this article, you should be well on your way to writing an effective information security policy for your organization.
Does your organization have an effective information security policy? Download our information security white paper for even more best practices.
Download the white paper