Information is the key to just about any business. Everyone has some sort of data they use to make their decisions, some businesses are run entirely on data. So doesn’t it make sense to protect your data? To have controls in place to ensure your information is safe? That is where information security comes into play. It doesn’t matter what size your organization is, what it does, or who the customer is. If your organization uses data or technology (which it obviously does) you need an information security policy. With that said, the depth and maturity of the plan largely depends on the size of your organization. But what exactly is an information security policy? and why is it necessary? How do you develop one?

What is information security policy?

There are three major components to information security: Confidentiality, Integrity, Availability. The entire policy is based on establishing these core principles to maintain what’s known as the CIA triad. It ensures logical and physical controls in order to protect business operations. It governs your data and defines the responsibilities of groups/individuals. It defines the desired behavior required to protect digital assets and the intellectual rights and the information the organization thrives on. This is accomplished through these high level policies covering a wide range of topics specific to your organization, that are later boiled down into their specific procedures.

Why is it necessary?

An information security policy includes the necessary policies and procedures to ensure business operations. How is your data stored? What services are you using? What happens when they fail? How do you restore them? How do you control access to them? How do you identify sensitive data? Everything you need to maintain (and in the event you need to, recover) the information you need to continue business operation. But an information security policy extends beyond the how data is stored and categorized or the disaster recovery efforts and covers every aspect of the information system. An information security plan defines the way your organization conducts day to day operations with the information. Information security policy also covers how the organization classifies its risks, and what controls are in place to mitigated these risks. The technical controls are just one part, analyzing and understanding the risks of the organization are just as important. A good plan will provide direction to the organization.

Developing The Policy

When developing any policy there are a few things that should always be addressed regardless of the technical content: objectives, scope, goals and responsibilities. These are just the basics that need to be addressed. For more information on drafting policy, see our article on getting started writing policy.

Information security is based on three pillars: confidentiality, integrity, availability. Each of the pillars build the foundation of the security policy. These policies should reflect the risk tolerance and reflect the culture set forth by management. But what should be included in an information security policy? There are some fundamentals components that should be covered in the policy.

  • Access Control
  • Asset control
  • Auditing and Accountability
  • Business Continuity Plan
  • Configuration Management
  • Disaster Recovery
  • Incident Response
  • Personnel security
  • Physical and Environmental Security
  • Relevant regulations
  • Roles and Responsibilities

Note: These are just the basics that should be included in your information security. There are plenty more categories to include, if you are interested in seeing an entire list, please let us know, but it’s in the plan to eventually cover all of the control families listed in NIST SP 800-53.

So now that we have addressed some of the technical controls, there is a whole section of an information security plan that we have yet to discuss and it is just as important as the technical, if not more important. That aspect is the culture. When implementing any policy, it’s important to consider the impact on the culture as well as the business operations. Implementing security controls is just as much about the technical solution as it is the cultural impact and the effect it has in business operations. When developing a plan, or implementing controls its important to keep these considerations in mind.

Taking the next step

Now that we’ve covered what an information security policy is, now let’s dive into how to create one. Creating policy should always “Start With Why” (Simon Sinek). Why does the organization need an information security policy? and to what degree is it required? Once that is done, it’s time to understand the culture. Without understanding the culture or the environment, the policy will never be able to take hold.