Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

#HowTo Put Together an Effective Information Security Policy

As a business operating in any type of industry, the security of your data and online activity will be a fundamental consideration in the modern digital age. With the beginning of cloud computing and the prevalence of cyber threats, putting together an effective information security policy by which your employees can follow stringent practices is the first step in creating a rigorous defense against online breaches.
 
Getting started
First of all, it is vital to understand that an information security policy will be the very cornerstone of everything that you do to protect your digital activity. In a business, this means that it begins from the very top in terms of senior management. Although senior managers may not draft the policy personally, it is vital that they are instrumental in shaping that policy and are up front and thorough in terms of how they view the security of the business.

Mandates
Getting the mandates right in terms of your information security policy is one of, if not, the most important aspect of that policy, as without the right mandates – meaning those that can be understood and bought into by everyone within the business – the policy itself will fail to engage the necessary stakeholders.

“My view with mandates is that they should be simple, and should apply to as many people within the business as possible, if not everyone,” advises Colin Campion, an IT specialist at Writinity and LastMinuteWriting. “Don’t try to be too overarching in that policy, and keep it short and clear so that the policy itself it accessible in terms of its presentation, and how it lays out what is expected.” 

Sub-policies
Depending on the size and scope of your business, it’s very likely that your information security policy will, and should, link to any number of sub-policies which cover staff in different locations, different roles within the company, and relate to specific tech such as mobile devices in order to make the policies themselves standalone and therefore easier to update and innovate.

Supplementary documents
In addition to the point about making sure your policy is not too long-winded, it’s a good idea to utilize supplementary materials in the form of guidelines and procedural documents, for example, which add value to the policy but don’t drown out the original document. This is the desired approach, as opposed to a multitude of sub-policies which only serve to confuse those who are mandated under the policy.

Breaking down an information security policy
As the core principle in terms of an information security policy is ease of access and understanding, breaking that policy down becomes an essential activity, and must relate back to managements central principles and objectives in terms of what security within the organization really looks like.

Important considerations in terms of breaking the policy down are matters such as the scope of the policy (what, specifically is covered), the facilities and equipment that are included, and all of the networks that are within the remit of the policy.

“Think carefully about information and what that means. Classify it. Do not assume that everyone is on the same page in terms of what constitutes certain kinds of information: spell it out and try not to be too generic. Then link the information back to the directives of the relevant management teams overseeing that kind of content, and cover all bases,” advises Sara Flores, a tech journalist at DraftBeyond and ResearchPapersUK.

Physical security
Physical security, in terms of who has physical access to equipment, for example, can be easily overlooked in terms of an information security policy, but that is a mistake. Physical security still constitutes as big a threat, if not more so, than purely digital activities, in terms of how your business’ information can be compromised.

Among the many considerations here, include who has access to company equipment (and how), who uses your servers (and when), and who is able to download materials on to devices and company USBs and so on. Do not think that anything is too obvious to leave out of your policy, and once again mandate everything clearly so all staff understand their responsibilities as regards to physical equipment and access to information. 

An effective information security policy is the responsibility of every single person in the business, from key stakeholders who are critical in the drafting (and living transformation) of the document, to the staff who are mandated with carrying out their responsibilities in line with that policy.

Appreciation of the objectives of the policy itself, and vigilance, remain top priorities, and there should also be an effective response procedure should a broach occur. Ensure every member of your organization is singing off the same page, and securing your businesses’ all-important data is one step closer.

What’s Hot on Infosecurity Magazine?