Information Security Policy – Why Your Organization Needs One

By Christopher Jones | February 17, 2022
Information Security Policy

Information security policies are a set of written statements that form the foundation of an organization’s security program. They are put into place to govern employee’s behavior regarding the security of an organization’s information and information technology.

What is Information Security?

Going back to the basics, it’s important to understand the concept of information security. There are three primary principles that make up the information security CIA triad:

  1. Confidentiality — the protection of information against unauthorized disclosure
  2. Integrity — the protection of information against unauthorized modification and ensuring the authenticity, accuracy, non-repudiation, and completeness of the information
  3. Availability — the protection of information against unauthorized destruction and ensuring data is accessible when needed

This is critically important, since having these fundamental principals in place helps protect the information assets of an organization from compromise, theft or tampering. In short, building effective information security policies that support the CIA triad helps protect the organization from cyber threats by decreasing risk.

Why does your organization need an Information Security Policy?

The information security policy provides guidance and direction for employees that ensures that their behavior helps reduce the risk of threats to the organization. Policies:

  1. define what is required of employees,
  2. reflect the risk tolerance of management
  3. provide direction on how security controls can be implemented to secure the organization
  4. support an organization’s legal and ethical responsibilities
  5. provide a mechanism to hold individuals accountable for compliance with expected behaviors about information security.

What Topics Are Included in an InfoSec Policy?

Many organizations maintain a library of many Information security policies that cover a wide variety of situations. Everything from Access Control to Encryption to Computer Backups are topics that can be covered. Some bundle these topics into one large document with each topic as it’s own chapter, while others maintain separate written policies covering each topic. There is no right or wrong way to organize your organization’s InfoSec policies, however, each policy should be reviewed at least annually to ensure that it is still relevant. Here is a short list of topics that should be covered…

  • Access control
  • Identification and Authentication (including multi-factor authentication and passwords)
  • Data classification
  • Encryption
  • Remote access
  • Acceptable use
  • Patching and vulnerability detection
  • Malicious code protections
  • Physical security
  • Backups
  • Server security
  • Change management
  • Security Awareness Training

How are InfoSec Policies Organized?

InfoSec policies need to be clearly written and conform to a standardized format. Ideally, they need to contain language that removes ambiguity to avoid misunderstandings. The phrase, “Computers must be secured using strong encryption” is much less ambiguous, than the phrase, “Computers should be secured…”. Although it’s beyond the scope of this article, there are differences between policies, procedures, guidelines and standards. Using words like should, may, or even shall in some cases leave open the interpretation that the policy statement is optional. Policies are not optional, so my advice is to stick with must whenever possible when constructing policy statements.

Constructing robust Information Security Policies involves utilizing a template with several key elements. Please have a look at 8 Important Elements Of Information Security Policies (cybersecurity-automation.com) for examples of the 8 elements of an Information Security Policy. The minimum headers for the policy include the following:

  • Purpose
  • Audience
  • Information Security Objectives
  • Authority, Roles and Responsibilities
  • Data Classification

Conclusion

Whether your organization decides to draft multiple separate policies or bundle them into one master policy that includes many subtopics is completely up to you. Many organizations already have a lot of policy content in the HR Employee Handbook, so it’s important to consult that document before setting out to write out your new policies to ensure you don’t have overlapping or conflicting statements. Personally, I’m a fan of writing separate policies for each subtopic but have one over-arching Information Security Policy that addresses the CIA triad as well as staff roles and responsibilities and data classification. The benefit of having separate documents is that they can be reviewed and updated in a much easier way than if they were embedded in a large document.

Contact 2Bware today for tips and advice about how to get prepared. We can help you develop your information Security Policies so you can move forward in developing critical security controls to protect your business. 

Posted in Cybersecurity Framework