An information security policy (ISP) is arguably the most important cybersecurity policy an organization can have. Essentially, an ISP defines the protocols and procedures for identifying, evaluating, mitigating, and recovering from security threats. An ISP is data-centric, in that its main objective is to protect data confidentiality, integrity, and availability (known as the CIA triad). An ISP will cover a broad range of areas including access control, data classification, security awareness training and the protocols that employees (and other relevant stakeholders) must follow when interacting with your critical assets.
The Benefits of an Information Security Policy
IT environments are becoming increasingly more complex and distributed, with many employees now working remotely. In such environments, having a standardized, harmonized, and coordinated approach to mitigating and managing security incidents is required. An ISP will make it easier to communicate with employees, contractors, auditors, and other relevant stakeholders about the security measures in place, as well as ensure that they receive the necessary security awareness training. Having an ISP will also make it easier to comply with the regulations that apply to your industry, which might include HIPAA, GDPR, or CCPA. It is common for auditors to request access to an organization’s documentation about the security controls they have in place, and be able to demonstrate that they know what data they have, where is it located, and who has access to it.
Is There an Information Security Policy Template?
Unfortunately, there isn’t a one-size-fits-all ISP, as different organizations have different needs. They have different business models, their employees will have different skill-sets, and compliance obligations vary from industry to industry. That said, there are numerous frameworks available that provide helpful guidance on how to develop an ISP. The two most popular frameworks are the ISO/IEC 27000 and NIST Cybersecurity Framework – both of which provide guidance on how to identify, protect, detect, respond and recover from security incidents. However, for organizations covered by Sarbanes-Oxley (SOX), frameworks like COBIT might be a better choice. Likewise, organizations pursuing HIPAA compliance would be better off looking into ISO 27799. Alternatively, some organizations publish their ISP templates, which you can review and customize accordingly.
Key Elements of an Information Security Policy
As mentioned, there isn’t a fixed approach to designing an ISP, and it’s also worth noting that an ISP will cover almost all areas of cybersecurity, which, as I’m sure you will agree, is a very broad subject. That said, all ISPs will include certain key elements.
Purpose: List the reasons why you need an ISP. In most cases, it is to…
- Protect data confidentiality, integrity, and availability
- Create a harmonized approach to mitigating and managing security incidents
- Demonstrate compliance to the relevant supervisory authorities
- Improve/protect the reputation of your organization
Scope: Create a list of all systems, assets, users, business associates, and applications that fall under the scope of the ISP.
Relevant personnel: List all managers and staff members involved in the design and implementation of the ISP, along with their contact information.
Collection and retention of data: Explain what data you will be collecting, how, why, and for how long. You will also need to provide a brief summary about how the data is stored, the encryption methods used, and the means by which you backup your data.
Data classification: Explain how your data is classified. The simplest data classification schema would be Public, Private, and Restricted. However, many companies prefer to choose a more complex schema that reflects the structure of their company.
Access control: You will need an Access Control Policy (ACP) which specifies the type of access control methods you are using, i.e. Discretionary Access Control (DAC), Role-Based Access Control (RBAC), or Mandatory Access Control (MAC). You will then need to define a set of rules which determine what data can be accessed by who, and under what circumstances. You will also need to specify the protocols for allowing users to request access to resources, including how/when access should be granted/revoked.
Acceptable Use Policy (AUP): In addition to controlling access to critical assets, you will need to create a policy that determines what user actions are acceptable/unacceptable. An AUP will typically include information about how users can access and use the internet, including the websites they can visit and the apps they can install. It will also include a list of actions that are considered unacceptable, which might include sharing credentials, leaving a workstation unattended whilst logged in, or downloading files onto a USB drive.
Data access monitoring: You will need to specify how you plan to keep track of changes made to your privileged accounts and critical assets. In most cases, organizations will use some form of real-time auditing solution to automatically detect, alert and respond to anomalous events.
Incident Response Plan (ISP): Monitoring access to your systems and data is only useful if you have a strategy for responding to suspicious events. An IRP is broken into six stages; preparation, identification, containment, removal, recovery, and lessons learned. In most cases, such as when your real-time auditing solution fires an alert informing you that sensitive data has been accessed in a suspicious manner, you would simply review the event logs to determine whether it was a false flag or a legitimate threat. If it turns out to be a legitimate threat, you will need to execute your incident response plan immediately.
Patch Management Policy: You will need well-documented procedures for installing patches/updates in order to mitigate vulnerabilities in your IT environment.
Security awareness training: Explain when and how security awareness training is to be delivered, including details about who is responsible for developing and presenting the training material.
As mentioned previously, information security is a huge subject, and a full explanation about how to keep your data secure is clearly beyond the scope of this article. For example, in addition to the points listed above, you will also need to document the means by which your data is encrypted – both at rest and in transit. You will need a policy that details the physical security measures you have in place, which might include the use of locks, alarms, badges, and CCTV cameras.
Last but not least, you will need policies that determine how sensitive data should be accessed, used, modified, and removed from your system. Each of these areas requires careful consideration.