Introduction
So, an information security policy is important. We all know this, I’m sure. But what is it, and what should be included?
In it's simplest form, your policy contains the rules for your organisation around information security. It's a way of your Board setting expectations for others to implement.
The content of these rules can depend on your industry industry and applicable regulation . Whatever rules or regulations you comply with, there are things you should probably include. Here’s a rundown of the main things to consider.
What should be included?
Standard policy gubbins
In most contexts there are things you have to include in any policy, security or otherwise. These include:
- Purpose
- Responsibility for implementing the policy.
- Who approved the policy and when.
- Applicable rules you used to prepare the policy.
- When it’s due to be reviewed again.
There are probably more, but this is a good start. This may seem like a waste of time in a smaller organisation, but I have learned over the years to just get these things done, otherwise you spend more time arguing over them with others.
Governance
How does the Board or senior management make sure the right things are being done on security. How do they communicate risk appetite and set expectations, and then monitor to them. For me, many miss this, but it is critical. Many security issues arise because of an erroneous or ill-informed decision.
People
Yes, there are people involved in securing things. How do you set out their obligations, train them and enforce your policy? It won’t matter until it matters, then it will matter a lot. Think onboarding, training, phishing testing and disciplinary procedures.
Assets
Or, in English – what are you supposed to be securing? Have a register of assets (computers, data, software etc.) and think about which are most important to you. This helps you focus security in the right areas.
Access control
Approving new user accounts, removing redundant user accounts, password lengths, access rights based on least privilege, administrative access control and MFA all have a part to play here.
Operational and technical security
This area covers the day-to-day things your IT team should be doing on your behalf. Patching and updates, anti-virus, designing secure architecture, secure backup and managing firewalls. Many clients think this is all security is about – that’s not true, but these are critical areas.
Suppliers
What security you expect of your suppliers and what access you will give them to your systems? This includes cloud providers. This was a fairly small area that has ballooned in recent years.
Incident management
Your rules around security incident management, really. Who runs it, who prepares plans, who tests them?
Business Continuity and Disaster Recovery Plans
You may want to include them here, or you may have a plan elsewhere. Cover recovering the business (Business Continuity) and recovering the systems (Disaster Recovery) somewhere, though. Think also about how you decide what to recover, in what order and by when (this is your business impact assessment), and how / how often you’ll do testing.
Compliance
How you’ll check whether the policy requirements are being applied? It might be independent penetration testing, and audit or compliance monitoring. Whatever it is, you’ll need something to report to the Board (see ‘Governance’ above).
How to compile it
If you know the areas you want to cover, simply write a list of rules. “We must do X” . Don’t just list what you already do – think about what you should do. If you don’t do something you should, then that’s an improvement area you need to work on, and that project of improvements is a big part of your security programme.
Done?
Your policy will never be perfect. You’ll learn more about what works, and what’s needed, as the years go by. Set yourself a deadline, compile your policy, get the Board happy with it for starters and then improve it as time moves forwards.
If you want a helping hand, click here to get in touch. We can chat through what should be included, share the templates we have or even build it for you if you prefer. It won’t take that long to get together, and once you do, you’ll be on a sound footing.