How To Write An Effective Information Security Policy
Does your organization have an information security policy in place? If so, when was the last time you updated it?
Articles published September 29, 2017 by Shane Kos
Before we dive into what all should go in an information security policy, let’s define what it is.
An information security policy is a document that sets forth rules and definitions around an organization’s users, networks, and devices to ensure security of the digital content (data) stored within that organization.
Whether you have one or not, this policy is an effective way to communicate what is acceptable in terms of how employees leverage corporate IT assets, including internet usage and web browsing. It also states the consequences for not following the policy.
What are the Objectives of an Information Security Policy?
To help you determine what to put in your policy, it’s helpful to consider the overall objectives it can accomplish.
Clearly state that some access to information will be restricted and only granted to those who have a legitimate reason to access it.
There are different classifications of data, such as high-risk, confidential, and public data. These should be defined within your policy. List out the processes and details of each classification, and how users should handle this data.
Support and Operations
Clearly state how data is kept secure through anti-malware protection, firewall, encryption, and patches, as well as data backup and transfer processes.
Making your employees aware of how to remain secure when accessing company data and files is essential. In addition to listing out how to be secure, you should also host mandatory security awareness trainings to ensure all employees are trained.
Roles and Responsibilities
Lastly, state the responsibilities and the role that every employee is expected to fulfill upon reading the information security policy. This means stating that all users need to comply with the policy and follow the safety procedures and guidelines to keep data and devices secure.
Scope: What Should be Included in an Information Security Policy?
Keep it Clear and Concise
When it comes to creating an information security policy, make it clear and to the point. Don’t add any unnecessary language.
The National Research Council (NRC) states that any company policy should follow this structure:
- Specific goals
- Responsibilities for compliance and noncompliance consequences
Clearly explain what happens when employees ignore your policy or consciously go against it. There’s a reason for your guidelines and policy, so give them the reasons why. Along with your reasons, tell them failure to abide by these rules will result in some form of serious discipline for misconduct.
Include These Clauses
Include a section with terms and conditions. While these may vary depending on the organization, there are some standard ones you should incorporate.
To protect your organization, use these clauses in your policy:
- "Viewing or downloading offensive, obscene, or inappropriate material from any source is forbidden."
- "The storing and transfer of illegal images, data, material, and/or text using this equipment is forbidden."
Additionally, you should state clauses that say data security discipline will be observed and monitored, and accessing the internet or using email for non-business purposes can be taken away. Mention that you reserve the right to review all internet and email use.
State Password Requirements
Does your organization have a standard set of password rules? It’s important to include this in your policy. See our recommendations on password requirements.
Adhere To Regulations
An information security policy must also adhere to specific regulations in your industry. Here are some examples:
- PCI Data Security Standard and the Basel Accords Worldwide
- Dodd-Frank Wall Street Reform
- Consumer Protection Act
- Health Insurance Portability and Accountability Act
- Financial Industry Regulatory Authority in the United States
It’s common for organizations to create an information security policy and then not keep it updated. When needed, update your policy to include new rules or regulations, and revisit it to change or fix outdated language. This doesn’t have to be frequent, but quarterly or annually is a good goal.
In the end, the goal is to clearly state expectations and rules for how employees should conduct themselves on their devices at work, and protects your organization should any legal issues occur. It also communicates how company data and devices should be handled so they remain safe and secure. If you follow the above tips, you should be well on your way to writing an effective information security policy for your organization.
Does your organization have an effective information security policy?
Read our white paper: Enhancing Security In An Unsecure World