How To Draft an Information Security Policy

How To Draft an Information Security Policy

Drafting an information security policy provides definition to your organization’s security program, enabling your team to enforce a strong security posture.

One of the worst situations any information security team can find themselves in is to discover a large-scale security breach and have no idea what steps to take. Over my career as the President & CEO of The Penn Group, it doesn’t surprise me anymore when I find out how woefully inadequate most organization’s security actually is.

Defining Cybersecurity For Your Organization

Cybersecurity is still relatively new, and for most executives, it has been a non-factor until the last 5 years. For many organizations, security is still a new activity that is handled by an overtaxed IT team. Typically, the information technology team is busy just trying to keep the organization functioning on a daily basis. Security topics are an afterthought, and a false sense of security prevails. Outside of the enterprise, the mindset of “we’ve never been breached before, why would we now?” This attitude galvanizes the mindset of leadership against further preventative action on security topics. Ultimately, while the arguments in the meeting rooms are ongoing, the criminals have already infiltrated the network and exfiltrated the proprietary technology that enables the organization. This unfortunate situation is not only preventable but is also increasing in its commonality. Today, I want to take you through the first step in preventing a security breach: how to write an information security policy for your organization.

Key Takeaways:

1. Defining information security is a required step for any security program. Cybersecurity definition is accomplished through a well written information security policy.
2. Creating an information security policy requires careful consideration of the organization’s activities and standards. The correct stakeholders must participate in the drafting of an information security policy.
3. Policy should be read, updated, and maintained on a reasonable time schedule for your organization. Sign-off from the executive committee, security stakeholders, and employees should be achieved.

Defining an Information Security Program Via Policy

One of the biggest mistakes IT leaders make when trying to solicit change in the organization is failing to get the buy-in from senior executives. In order to sway the senior team, you have to articulate the why far better than the how.  From an information security standpoint, there is a frustratingly consistent rub between the operational considerations of the business and the requirements to keep the organization secure. Consistently, security will lose this battle. It isn’t about winning though, it’s about doing what is right to protect the organization. Security must have the ability to prove the organizations stance on security, and that is where a security policy comes into play.

Defining information security is a required step for any security program. Cybersecurity definition is accomplished through a well written information security policy. An information security policy must be broad enough to adequately protect the organization from itself. The security policy provides definition to the organization and gives guidance to the organization on how security must be performed. Importantly, a policy document is just that: a policy. It requires enforcement, oversight, and accountability to ensure the organization follows what is set forth in the information security policy. This is why the information security policy is so important. Ultimately, in order to prioritize security, the organization must accept the drawbacks of a strong security practice. This can be particularly tough for more seasoned employees to accept, as some of the implicit kingdoms will ultimately crumble. Defining the security program in policy, and achieving buy-in from the executive committee, and enforcing strong security through oversight and accountability will dramatically improve your chances of keeping criminals out and your customers safe.  

Consideration in Development of Information Security Policy

In order to create a strong information security policy, careful consideration must be taken to ensure the right topics are covered. Example topics a policy might include:

1. Fair Computer Use
2. Confidentiality of Data
3. Integrity of Data
4. Availability of Data
5. Personal Data and Privacy
6. Endpoint Usage
7. Auditing and Logging
8. Etc.

Creating an information security policy requires careful consideration of the organization’s activities and standards. An organization’s policy team may elect to separate some of the topics of the list above into distinct documents to enhance maintainability. When drafting a cybersecurity policy, the organization should consider things such as:

1. What should the organization do and NOT do to protect the customers, employees and data.
2. What should IT/Security do and NOT do to protect the organization.
3. What should Third Parties do and NOT do to protect the organization.

When considering what to write, think about terms of WHAT rather than HOW. A policy shouldn’t be a prescriptive list of dos and don’ts. These considerations also must be considered with the right people involved. The correct stakeholders must participate in the drafting of an information security policy. Typically, directors of many different disciplines including Legal, HR, IT, Compliance, and Finance may be involved in the drafting of policy. It is important to keep in mind that a policy isn’t a document to be filled with legalize, requiring a reprehensive lawyer to understand. The document must be clear, easy to understand, and as specific as possible as to the WHAT the organization should do. This helps leaders determine what the organization should do and shouldn’t be doing.  

Cybersecurity Policy is a Living Process

If the organization is going to be held accountable to what a policy says, then the policy should be updated. Your cybersecurity policy should be read, updated, and maintained on a reasonable time schedule for your organization. Importantly, include a change record on the policy document. Each time a change is made, a record should be entered on the document. If a significant change to the document, then the document should be reapproved by the executive committee. Signoff from the executive committee, security stakeholders, and employees should be achieved.  Every few years, commonly 3 years, the policy should undergo a thorough review. Finally, as the information security program begins to mature, additional policies may be needed.  

Summary:

Defining information security is a required step for any security program. Cybersecurity definition is accomplished through a well written information security policy. Creating an information security policy requires careful consideration of the organization’s activities and standards. The correct stakeholders must participate in the drafting of an information security policy. Policy should be read, updated, and maintained on a reasonable time schedule for your organization. Sign-off from the executive committee, security stakeholders, and employees should be achieved. This is how to write an information security policy.