An information security policy (ISP) is a set of rules, policies and procedures designed to ensure all end users and networks within an organization meet minimum IT security and data protection security requirements.
ISPs should address all data, programs, systems, facilities, infrastructure, authorized users, third parties and fourth parties of an organization.
What is the Purpose of an Information Security Policy?
An information security policy aims to enact protections and limit the distribution of data to only those with authorized access. Organizations create ISPs to:
- Establish a general approach to information security
- Document security measures and user access control policies
- Detect and minimize the impact of compromised information assets such as misuse of data, networks, mobile devices, computers and applications
- Protect the reputation of the organization
- Comply with legal and regulatory requirements like NIST, GDPR, HIPAA and FERPA
- Protect their customer's data, such as credit card numbers
- Provide effective mechanisms to respond to complaints and queries related to real or perceived cyber security risks such as phishing, malware and ransomware
- Limit access to key information technology assets to those who have an acceptable use
Why is an Information Security Policy is Important?
ISPs are important for new and established organizations. Increasing digitalization means every employee is generating data and a portion of that data must be protected from unauthorized access. Depending on your industry, it may even be protected by laws and regulations.
Whether you like it or not, information security (InfoSec) is important at every level of your organization. And outside of your organization.
Increased outsourcing means third-party vendors have access to data too. This is why third-party risk management and vendor risk management is part of any good information security policy. Third-party risk, fourth-party risk and vendor risk are no joke.
What are the Key Elements of an Information Security Policy?
An information security policy can be as broad as you want it to be. It can cover IT security and/or physical security, as well as social media usage, lifecycle management and security training. In general, an information security policy will have these nine key elements:
Outline the purpose of your information security policy which should:
- Preserve your organization's information security.
- Detect and preempt information security breaches caused by third-party vendors, misuse of networks, data, applications, computer systems and mobile devices.
- Protect the organization's reputation
- Uphold ethical, legal and regulatory requirements
- Protect customer data and respond to inquiries and complaints about non-compliance of security requirements and data protection
Define who the information security policy applies to and who it does not apply to. You may be tempted to say that third-party vendors are not included as part of your information security policy.
This may not be a great idea. Third-party, fourth-party risk and vendor risk should be accounted for. Whether or not you have a legal or regulatory duty to protect your customer's data from third-party data breaches and data leaks isn't important. Customers may still blame your organization for breaches that were not in your total control and the reputational damage can be huge.
3. Information Security Objectives
These are the goals management has agreed upon, as well as the strategies used to achieve them.
In the end, information security is concerned with the CIA triad:
- Confidentiality: data and information are protected from unauthorized access
- Integrity: Data is intact, complete and accurate
- Availability: IT systems are available when needed
4. Authority and Access Control Policy
This part is about deciding who has the authority to decide what data can be shared and what can't. Remember, this may not be always up to your organization. For example, if you are the CSO at a hospital. You likely need to comply with HIPAA and its data protection requirements. If you store medical records, they can't be shared with an unauthorized party whether in person or online.
An access control policy can help outline the level of authority over data and IT systems for every level of your organization. It should outline how to handle sensitive information, who is responsible for security controls, what access control is in place and what security standards are acceptable.
It may also include a network security policy that outlines who can have access to company networks and servers, as well as what authentication requirements are needed including strong password requirements, biometrics, ID cards and access tokens.
In some cases, employees are contractually bound to comply with the information security policy before being granted access to any information systems and data centers.
5. Data Classification
An information security policy must classify data into categories. A good way to classify the data is into five levels that dictate an increasing need for protection:
- Level 1: Public information
- Level 2: Information your organization has chosen to keep confidential but disclosure would not cause material harm
- Level 3: Information has a risk of material harm to individuals or your organization if disclosed
- Level 4: Information has a high risk of causing serious harm to individuals or your organization if disclosed
- Level 5: Information will cause severe harm to individuals or your organization if disclosed
In this classification, levels 2-5 would be classified as confidential information and would need some form of protection.
6. Data Support and Operations
Once data has been classified, you need to outline how data is each level will be handled. There are generally three components to this part of your information security policy:
- Data protection regulations: Organizations that store personally identifiable information (PII) or sensitive data must be protected according to organizational standards, best practices, industry compliance standards and regulation
- Data backup requirements: Outlines how data is backed up, what level of encryption is used and what third-party service providers are used
- Movement of data: Outlines how data is communicated. Data that is deemed classified in the above data classification should be securely communicated with encryption and not transmitted across public networks to avoid man-in-the-middle attacks
7. Security Awareness Training
A perfect information security policy that no one follows is no better than having no policy at all. You need your staff to understand what is required of them. Training should be conducted to inform employees of security requirements, including data protection, data classification, access control and general security threats.
Security training should include:
- Social engineering: Teach your employees about phishing, spearphishing and other common social engineering cyber attacks
- Clean desk policy: Laptops should be taken home and documents shouldn't be left on desks at the end of the work day
- Acceptable usage: What can employees use their work devices and Internet for and what is restricted?
8. Responsibilities and Duties of Employees
This is where you operationalize your information security policy. This part of your information security policy needs to outline the owners of:
- Security programs
- Acceptable use policies
- Network security
- Physical security
- Business continuity
- Access management
- Security awareness
- Risk assessments
- Incident response
- Data security
- Disaster recovery
- Incident management
9. Other Items an ISP May Include
Virus protection procedure, malware protection procedure, network intrusion detection procedure, remote work procedure, technical guidelines, consequences for non-compliance, physical security requirements, references to supporting documents, etc.
What are the Best Practices for Information Security Management?
A mature information security policy will outline or refer to the following policies:
- Acceptable use policy (AUP): Outlines the constraints an employee must agree to use a corporate computer and/or network
- Access control policy (ACP): Outlines access controls to an organization's data and information systems
- Change management policy: Refers to the formal process for making changes to IT, software development and security
- Information security policy: High-level policy that covers a large number of security controls
- Incident response (IR) policy: An organized approach to how the organization will manage and remediate an incident
- Remote access policy: Outlines acceptable methods of remotely connecting to internal networks
- Email/communication policy: Outlines how employees can use the business's chosen electronic communication channel such as email, slack or social media
- Disaster recovery policy: Outlines the organization's cybersecurity and IT teams input into an overall business continuity plan
- Business continuity plan (BCP): Coordinates efforts across the organization and is used in the event of a disaster to restore the business to a working order
- Data classification policy: Outlines how your organization classifies its data
- IT operations and administration policy: Outlines how all departments and IT work together to meet compliance and security requirements.
- SaaS and cloud policy: Provides the organization with clear cloud and SaaS adoption guidelines, this helps mitigate third-party and fourth-party risk
- Identity access and management (IAM) policy: Outlines how IT administrators authorize systems and applications to the right employees and how employees create passwords to comply with security standards
- Data security policy: Outlines the technical requirements and acceptable minimum standards for data security to comply with relevant laws and regulations
- Privacy regulations: Outlines how the organization complies with government-enforced regulations such as GDPR that are designed to protect customer privacy
- Personal and mobile devices policy: Outlines if employees are allowed to use personal devices to access company infrastructure and how to reduce the risk of exposure from employee-owned assets
There is a lot of work in each of these policies, but you can find many policy templates online.