Main Menu
MENUMENU
  • Home
  • TPG Electronics
  • Solutions
    • Information Technology Solutions
    • Cybersecurity
      • Awareness & Training
      • Cloud Security & Compliance
      • Information Security Consulting
      • Managed Security Operations Services
      • Penetration Testing Services
      • Governance, Risk, and Compliance
      • Risk Management
        • Understand Your Risk
        • Risk Remediation
        • Monitor Your Risk
        • Security Technology Implementation
      • Secure Software Development Life Cycle (SSDLC) Solutions
      • SMB Security
  • Services
    • Audio Design & Installation
    • Lighting Design & Implementation
    • Video Design & Implementation
  • About
    • Core Values
    • Leadership Team
    • Careers
    • Blog
  • Free Consultation
The Penn Group, LLC Columbus Ohio Logo
MENUMENU
  • Home
  • TPG Electronics
  • Solutions
    • Information Technology Solutions
    • Cybersecurity
      • Awareness & Training
      • Cloud Security & Compliance
      • Information Security Consulting
      • Managed Security Operations Services
      • Penetration Testing Services
      • Governance, Risk, and Compliance
      • Risk Management
        • Understand Your Risk
        • Risk Remediation
        • Monitor Your Risk
        • Security Technology Implementation
      • Secure Software Development Life Cycle (SSDLC) Solutions
      • SMB Security
  • Services
    • Audio Design & Installation
    • Lighting Design & Implementation
    • Video Design & Implementation
  • About
    • Core Values
    • Leadership Team
    • Careers
    • Blog
  • Free Consultation
  • Phone (614) 741-5306
  • Email sales@thepenn.group
  • Address 6986 Norton Crossing St. New Albany, Ohio 43054

How To Draft an Information Security Policy

Home  ›  Cybersecurity  ›  How To Draft an Information Security Policy

How To Draft an Information Security Policy

Drafting an information security policy provides definition to your organization’s security program, enabling your team to enforce a strong security posture.

information-security-policy

One of the worst situations any information security team can find themselves in is to discover a large-scale security breach and have no idea what steps to take. Over my career as the President & CEO of The Penn Group, it doesn’t surprise me anymore when I find out how woefully inadequate most organization’s security actually is.

Defining Cybersecurity For Your Organization

Cybersecurity is still relatively new, and for most executives, it has been a non-factor until the last 5 years. For many organizations, security is still a new activity that is handled by an overtaxed IT team. Typically, the information technology team is busy just trying to keep the organization functioning on a daily basis. Security topics are an afterthought, and a false sense of security prevails. Outside of the enterprise, the mindset of “we’ve never been breached before, why would we now?” This attitude galvanizes the mindset of leadership against further preventative action on security topics. Ultimately, while the arguments in the meeting rooms are ongoing, the criminals have already infiltrated the network and exfiltrated the proprietary technology that enables the organization. This unfortunate situation is not only preventable but is also increasing in its commonality. Today, I want to take you through the first step in preventing a security breach: how to write an information security policy for your organization.

Key Takeaways:

  1. Defining information security is a required step for any security program. Cybersecurity definition is accomplished through a well written information security policy.
  2. Creating an information security policy requires careful consideration of the organization’s activities and standards. The correct stakeholders must participate in the drafting of an information security policy.
  3. Policy should be read, updated, and maintained on a reasonable time schedule for your organization. Sign-off from the executive committee, security stakeholders, and employees should be achieved.

Download a free information security policy template.

Download “Information Security Policy Template”

Information-Security-Policy-Template.pdf – Downloaded 512 times – 254.59 KB

Defining an Information Security Program Via Policy

One of the biggest mistakes IT leaders make when trying to solicit change in the organization is failing to get the buy-in from senior executives. In order to sway the senior team, you have to articulate the why far better than the how.  From an information security standpoint, there is a frustratingly consistent rub between the operational considerations of the business and the requirements to keep the organization secure. Consistently, security will lose this battle. It isn’t about winning though, it’s about doing what is right to protect the organization. Security must have the ability to prove the organizations stance on security, and that is where a security policy comes into play.

Defining information security is a required step for any security program. Cybersecurity definition is accomplished through a well written information security policy. An information security policy must be broad enough to adequately protect the organization from itself. The security policy provides definition to the organization and gives guidance to the organization on how security must be performed. Importantly, a policy document is just that: a policy. It requires enforcement, oversight, and accountability to ensure the organization follows what is set forth in the information security policy. This is why the information security policy is so important. Ultimately, in order to prioritize security, the organization must accept the drawbacks of a strong security practice. This can be particularly tough for more seasoned employees to accept, as some of the implicit kingdoms will ultimately crumble. Defining the security program in policy, and achieving buy-in from the executive committee, and enforcing strong security through oversight and accountability will dramatically improve your chances of keeping criminals out and your customers safe.  

Consideration in Development of Information Security Policy

In order to create a strong information security policy, careful consideration must be taken to ensure the right topics are covered. Example topics a policy might include:

  1. Fair Computer Use
  2. Confidentiality of Data
  3. Integrity of Data
  4. Availability of Data
  5. Personal Data and Privacy
  6. Endpoint Usage
  7. Auditing and Logging
  8. Etc.

Creating an information security policy requires careful consideration of the organization’s activities and standards. An organization’s policy team may elect to separate some of the topics of the list above into distinct documents to enhance maintainability. When drafting a cybersecurity policy, the organization should consider things such as:

  1. What should the organization do and NOT do to protect the customers, employees and data.
  2. What should IT/Security do and NOT do to protect the organization.
  3. What should Third Parties do and NOT do to protect the organization.

When considering what to write, think about terms of WHAT rather than HOW. A policy shouldn’t be a prescriptive list of dos and don’ts. These considerations also must be considered with the right people involved. The correct stakeholders must participate in the drafting of an information security policy. Typically, directors of many different disciplines including Legal, HR, IT, Compliance, and Finance may be involved in the drafting of policy. It is important to keep in mind that a policy isn’t a document to be filled with legalize, requiring a reprehensive lawyer to understand. The document must be clear, easy to understand, and as specific as possible as to the WHAT the organization should do. This helps leaders determine what the organization should do and shouldn’t be doing.  

Cybersecurity Policy is a Living Process

If the organization is going to be held accountable to what a policy says, then the policy should be updated. Your cybersecurity policy should be read, updated, and maintained on a reasonable time schedule for your organization. Importantly, include a change record on the policy document. Each time a change is made, a record should be entered on the document. If a significant change to the document, then the document should be reapproved by the executive committee. Signoff from the executive committee, security stakeholders, and employees should be achieved.  Every few years, commonly 3 years, the policy should undergo a thorough review. Finally, as the information security program begins to mature, additional policies may be needed.  

Summary:

Defining information security is a required step for any security program. Cybersecurity definition is accomplished through a well written information security policy. Creating an information security policy requires careful consideration of the organization’s activities and standards. The correct stakeholders must participate in the drafting of an information security policy. Policy should be read, updated, and maintained on a reasonable time schedule for your organization. Sign-off from the executive committee, security stakeholders, and employees should be achieved. This is how to write an information security policy.

Download a free information security policy template.

Download “Information Security Policy Template”

Information-Security-Policy-Template.pdf – Downloaded 512 times – 254.59 KB

Austin_Harman, President & CEO, The Penn Group
Written by Austin Harman, CISSP, CAP, Security+
facebookShare on Facebook
TwitterTweet

Post navigation

« 3 Common Security Mistakes Organizations Make
Build Your Security Operations Center (SOC) »

Leave a reply

Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Applications

  • Technology Integration
  • Audio Design & Implementation
  • Lighting Design & Implementation
  • Video Design & Implementation
  • Network Design & Engineering
  • Cybersecurity

 

  • Industry Experience
  • House of Worship
  • Enterprise
  • Small Business
  • Non-Profit

Our Commitment To You

You are not a number, but a partner

One of The Penn Group’s core values is Excellence. Our customers deserve our best, and nothing short. We are on a mission to create integrated experiences that just work. We are obsessed with delighting and inspiring through excellence. We bring out best. We develop the best people, and we deliver the best results, anything less is unacceptable.

Austin Harman, President & CEO

We’d Love To Connect With You

Search

Get in Touch

Find Us

Address
6986 Norton Crossing St.
New Albany, Ohio 43230

Hours
Monday—Friday: 9:00AM–5:00PM

The Penn Group, LLC Logo Footer

Unite Your Technology and Beat The Competition

  • Audio Design & Installation
  • Video Design & Implementation
  • Lighting Design & Implementation
  • Information Technology Solutions
  • Free Consultation
  • Contact The Penn Group

© 2022 The Penn Group, LLC.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. The Penn Group does not and will not sale your data. Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT