Before we talk about how to create an information security policy, it is important to clarify what information security really is.
Information security — sometimes shortened to InfoSec — is the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to ensure confidentiality, integrity, and availability.
CIA Triad: Confidentiality, Integrity, Availability
If you’ve been in the security field for a while, you probably know that information security is threefold. However, for those new to the field, information security involves three critical components of confidentiality, integrity, and availability (CIA):
- Confidentiality: protection from unauthorized access
- Integrity: protection from unauthorized alterations of data
- Availability: ensuring timely and reliable access to and use of information
Understanding the security CIA Triad, the various principles behind it, and how it applies to your organization will help you implement a sound security policy.
Why Create an Information Security Policy?
Organizations commonly create an information security policy because “ISO 27001 says we should have one” or “it’s required for the audit.” Sure, but that’s not the primary reason for having a policy.
A security policy, or policies, are designed to mitigate risk (e.g., data breach) and are usually developed in response to an actual or perceived threat (a situation that could potentially cause undesirable consequences or impacts). The policy will contain a high-level statement of management intent and direction and should be developed or modified to support an organization’s strategic objectives.
Security policies on their own are not enough. Employees must understand what the rules are for protecting information and assets, and the reasons why security standards are developed.
Security standards are developed to set boundaries for people, processes, technologies, and procedures to help maintain compliance with policies and support the achievement of the organization’s goals and objectives.
Best Practices in Creating an Information Security Policy
After over a decade of creating security policies, perhaps the most important advice I can give any organization for creating a successful policy is to write it specifically with the organization’s strategic objectives, risk appetite and tolerance, and culture in mind.
Ensure that the policy is written by an individual that can translate security requirements at a high level in business terms. It should be written in a way employees can understand; just like a good app, it should be user-friendly. It should explain why security is important within the organization, and define everyone’s responsibilities for protecting the organization’s information and assets.
What Makes an Effective Security Policy?
What you don’t want to include in your policy is a list of “thou shalt nots.” Because in my experience, whenever a policy is full of strict directives that sound more like commandments it’s doomed to fail and it’s difficult to monitor compliance. You can avoid bloating your policy by constructing one that is clear, concise, relatable and easy to understand.
A good rule of thumb is to write it for the average, non-technical person. Within 60 seconds, it should be clear to the reader what the security policy is about. Any struggle comprehending it, and you may need to go back to the drawing board.
As mentioned earlier, an effective security policy should not only align with an organization’s strategic objectives but it should also consider the organization’s overall risk profile.
You should be able to answer these questions: How much security risk is the organization willing to tolerate? What is the consensus on security risk and do the policies and corporate mandate address that? How is the tone at the top? What is the organization’s culture towards security?
Finally, your policy should be updated annually as it helps your organization keep up to date with regulations, changes in technology and threat landscape, and industry best practices.
But the truth is too many organization’s searches for a boilerplate policy and don’t make many changes. If the policy isn’t tailored to your organization, it probably won’t be followed — I’ve seen it happen far too often.
What Should Your Security Policy Cover?
To get you started, here are 10 potential policy elements and relevant questions that should be answered when designing an enterprise security policy:
- Purpose: Why do you need this policy?
- Scope and Applicability: What’s the scope of the policy? Whom does this policy apply to?
- Policy Authority and Review Cycle: Who has the Board or CEO granted authority to establish security policies and standards? Who can approve the policy? Who can update the policy? If there is a requirement in the policy that cannot be met, is a policy exemption request submitted?
- Policy Review Cycle: How often will the policy be reviewed?
- Company Culture: How can the policy adapt to your corporate culture? Does your organization’s culture support your security efforts? Do you have commitment and support from senior executives?
- Topics of Focus: What topics (e.g., Email & Internet, BYOD, Social Media), should be included in your policy that you would like employees to be aware of as it relates to security responsibilities around your organization’s information and assets?
- Specific Information Security Policies: What policies will cover a subsidiary area of information security (e.g., Key Management, Security Incident Response, Firewall) that further mandates the information security controls required at an operational level?
- Training: How does the organization approach security awareness? What methods are used for awareness training and how often does training occur?
- Communication: Who do employees contact when they have questions about anything security-related? How will you communicate the security policy? Will you require employees to acknowledge and sign off on your policy?
- Compliance: How will you monitor compliance with this policy?
The Importance of Policy Enforcement
A security policy can only be effective if employees are confident that rules will be enforced. There must be clear responsibilities defined for compliance as well as stipulations regarding steps that will be taken for non-compliance.
Depending on an organization’s industry, the security policy should reference the importance of adherence to that industry’s regulations. This may include the PCI Data Security Standard, the Dodd-Frank Wall Street Reform, the Federal Risk and Authorization Management Program (FedRAMP), the General Data Protection Regulation (GDPR) or HIPAA (Health Insurance Portability and Accountability Act), to name a few.
To achieve best enforcement results, your policy should be in-sync with the current threat landscape as well as privacy regulations. When a policy reflects what is happening online (think phishing, ransomware (malware), privacy fines etc.), you have a better chance of employees following along. If that policy is clear and understandable, enforcement is easier.
When writing your policy, keep compliance and enforcement in mind. If you don’t think you can follow through with the rules for a specific element of the policy, it may need to be re-written.
Ultimately, the policy must not impede the organization and its employees from achieving its mission or goals.
To find out how to benchmark your security posture, download our Cybersecurity Frameworks Solution Sheet