Jan 15, 2015
Creating an information security policy is an essential part of rolling-out a security program. Unfortunately, creating a clear, comprehensive and actionable policy can be a serious struggle, especially for larger organisations. If you’re weighing-up the pros and cons of different information security policies, or trying to create one from scratch, this guide will help ensure that your policy is fair and effective – empowering your IT team, and improving the security of your whole organisation.
What is an Information Security Policy?
An Information Security Policy is a codified document that outlines how an organisation plans to protect its digital assets. It provides a company-wide framework for security, and is designed to outline the core tenets of an organisation’s digital security program, especially:
- How security measures will be carried out and enforced.
- How security policy can be monitored and analysed, and how changes and improvements to the policy can be made over time.
- How the organisation plans to educate employees about information security.
- The roles and expectations of both IT teams and individual employees within a security program.
- How employees should conduct themselves when accessing corporate networks and information (known as an Acceptable Use Policy, or AUP).
A formal policy agreement is designed to empower security teams, and give them the authority and support needed to effectively implement security practices. It plays a crucial role in developing a secure culture within your organisation; allowing all employees, from junior developers through to senior management staff, to understand their role within digital security.
Creating an Information Security Policy
Many organisations choose to adopt or adapt existing off-the-shelf security policies. Whilst these policies offer a basic foundation for organisational security, they won’t reflect the management objectives and existing practices of your organisation, or the unique challenges and compliance issues found within your industry.In order to create a policy that properly reflects your own organisation, it’s essential to develop your own policy with these crucial questions in mind:
- What is the scope of the policy? All of the organisations data, systems, programs, networks and users need to be clearly addressed within the policy.
- Is the policy aligned with the organisation’s business objectives? For a policy to have a meaningful impact on organisational security, it needs to have buy-in from decision makers at all levels of the organisation. This requires the creation of a security policy which doesn’t undermine existing business goals.
- Is there a regulatory aspect to the policy, or is it simply a best-practice guide?
- If the policy is regulatory, what are the consequences of non-compliance?
- Does the policy reflect actual practice? If not, the entire organisation becomes non-compliant as soon as the policy is published.
- Is the policy accessible to all users? Security policies are designed to improve organisation-wide understanding of security – including non-technical employees. This means that policies should avoid relying on technical jargon, and instead speak in the simplest terms possible.
- Will the policy need to be supplemented by other documentation? If technical information is omitted, it’s important for the information to be available through other documents.
If you’d like to use a template to begin drafting your own security policy, you can download free sample security policies here. For an in-depth look at the topics your information security should address, you can read this guide: How to create a good information security policy; and for help in identifying and prioritising the types of security risks your policy should address, read Creating and Enforcing an Effective Information Security Policy.
How to Successfully Implement an Information Security Policy
An information security policy can be a powerful tool in improving organisational security. However, it isn’t a panacea – and for your policy to have a meaningful impact on security, it needs to be implemented in the right way.A security policy should be treated as a ‘living document’ - something which needs to develop alongside the growth of an organisation, and its changing digital environment. Whilst the policy needs to maintain its authority, mechanisms should exist to periodically review its efficacy, and revise its contents.An information security policy shouldn’t try to rewrite how the company operates. An organisation’s existing operation is driven by greater factors than security alone – particularly financial, management and performance expectations. The policy should reflect the existing operation of a company, and not expect the business to completely reinvent itself for the sake of security.Simple policies are more effective than complex policies. Publishing a concise set of strict mandates makes it easier for employees to both understand policy and abide by it. Complex policies are more likely to incur accidental infringement, and require exceptions and exemptions; both of which will undermine the authority of the policy.Effective security can’t be achieved by IT teams alone; it requires the active participation of all members of an organisation. Your Information Security Policy need to be designed with all employees in mind, and not just IT teams. When creating your policy, strive to create a clear and concise policy that can be understood and acted upon by all employees.