Before we talk about how to create an information security policy, it is important to clarify what information security really is.
Information security — sometimes shortened to InfoSec — is the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to ensure confidentiality, integrity, and availability.
If you’ve been in the security field for a while, you probably know that information security is threefold. However, for those new to the field, information security involves three critical components of confidentiality, integrity, and availability (CIA):
Understanding the security CIA Triad, the various principles behind it, and how it applies to your organization will help you implement a sound security policy.
Organizations commonly create an information security policy because “ISO 27001 says we should have one” or “it’s required for the audit.” Sure, but that’s not the primary reason for having a policy.
A security policy, or policies, are designed to mitigate risk (e.g., data breach) and are usually developed in response to an actual or perceived threat (a situation that could potentially cause undesirable consequences or impacts). The policy will contain a high-level statement of management intent and direction and should be developed or modified to support an organization’s strategic objectives.
Security policies on their own are not enough. Employees must understand what the rules are for protecting information and assets, and the reasons why security standards are developed.
Security standards are developed to set boundaries for people, processes, technologies, and procedures to help maintain compliance with policies and support the achievement of the organization’s goals and objectives.
After over a decade of creating security policies, perhaps the most important advice I can give any organization for creating a successful policy is to write it specifically with the organization’s strategic objectives, risk appetite and tolerance, and culture in mind.
Ensure that the policy is written by an individual that can translate security requirements at a high level in business terms. It should be written in a way employees can understand; just like a good app, it should be user-friendly. It should explain why security is important within the organization, and define everyone’s responsibilities for protecting the organization’s information and assets.
What you don't want to include in your policy is a list of “thou shalt nots.” Because in my experience, whenever a policy is full of strict directives that sound more like commandments it’s doomed to fail and it’s difficult to monitor compliance. You can avoid bloating your policy by constructing one that is clear, concise, relatable and easy to understand.
A good rule of thumb is to write it for the average, non-technical person. Within 60 seconds, it should be clear to the reader what the security policy is about. Any struggle comprehending it, and you may need to go back to the drawing board.
As mentioned earlier, an effective security policy should not only align with an organization’s strategic objectives but it should also consider the organization’s overall risk profile.
You should be able to answer these questions: How much security risk is the organization willing to tolerate? What is the consensus on security risk and do the policies and corporate mandate address that? How is the tone at the top? What is the organization’s culture towards security?
Finally, your policy should be updated annually as it helps your organization keep up to date with regulations, changes in technology and threat landscape, and industry best practices.
But the truth is too many organization’s searches for a boilerplate policy and don’t make many changes. If the policy isn’t tailored to your organization, it probably won’t be followed — I’ve seen it happen far too often.
To get you started, here are 10 potential policy elements and relevant questions that should be answered when designing an enterprise security policy:
A security policy can only be effective if employees are confident that rules will be enforced. There must be clear responsibilities defined for compliance as well as stipulations regarding steps that will be taken for non-compliance.
Depending on an organization’s industry, the security policy should reference the importance of adherence to that industry’s regulations. This may include the PCI Data Security Standard, the Dodd-Frank Wall Street Reform, the Federal Risk and Authorization Management Program (FedRAMP), the General Data Protection Regulation (GDPR) or HIPAA (Health Insurance Portability and Accountability Act), to name a few.
To achieve best enforcement results, your policy should be in-sync with the current threat landscape as well as privacy regulations. When a policy reflects what is happening online (think phishing, ransomware (malware), privacy fines etc.), you have a better chance of employees following along. If that policy is clear and understandable, enforcement is easier.
When writing your policy, keep compliance and enforcement in mind. If you don’t think you can follow through with the rules for a specific element of the policy, it may need to be re-written.
Ultimately, the policy must not impede the organization and its employees from achieving its mission or goals.
To find out how to benchmark your security posture, download our Cybersecurity Frameworks Solution Sheet