Information security policies play an important role in information security governance. They serve to formally communicate the general expectations and intentions of senior management with respect to safeguarding information, in accordance with the business objectives and needs of the organization. It is through a security policy that management demonstrates its support of and commitment to information security.
A security information policy generally includes the following:
- Scope (assets, people and activities targeted);
- Compliance with the legal (e.g., the Privacy Act), regulatory (e.g., the PCI DSS for processing banking data), or contractual requirements to which the organization is subject;
- Principles or guidelines to ensure the availability, integrity and confidentiality of information;
- Management of risks affecting information;
- Training and awareness requirements in terms of security;
- Reporting of incidents or violations to security regulations;
- Continuity of the organization’s activities;
- Definition of the roles and responsibilities of the various players and stakeholders (management, managers, security officers, owners or holders of information assets, information resources, human resources, users, etc.);
- References to more detailed documents or regulations that specifically reinforce the policy’s components;
- The consequences of or penalties for noncompliance with the policy.
The organization’s management is responsible for applying the security policy. To that end, it must mandate someone to be responsible for its development, assessment and updating. Reviews on a regular basis (every three to five years) or when major changes have occurred are necessary to guarantee the policy’s relevance and effectiveness.
Given that an information security policy provides guidelines, it must be backed up and clarified with directives, standards, procedures, etc. From a tactical point of view, the directives uphold and clarify one or more components of the policy. They determine the concrete measures and obligations (e.g., a directive on the management of security incidents, logical access, backups, or vulnerability management), and are generally drawn up under the coordination of the security officer.
Security standards clearly define the minimum requirements for technologies, in terms of the measures, materials and software required. With respect to procedures, which are operational in nature, they detail how actions should be carried out to ensure that requirements are respected.
The security policy must be communicated to all staff. A communication plan must be drafted and applied to ensure that organizational expectations are disseminated. It may be advisable to have employees sign an undertaking to respect this policy at the time they are hired, to ensure that they are acquainted with the policy and understand their obligations and responsibilities. The undertaking should be included in the employee’s file.
A code of conduct describing and summing up the behaviour expected to preserve the availability, integrity and confidentiality of information should be kept up to date and transmitted to the organization’s staff.
In addition, a training and awareness program should be developed and implemented to ensure that employees and managers completely understand the importance of information security and protection. This is all the more important, given that security incidents are often the result of human behaviour or factors.
To learn more about information security policies and industry-wide best practices in information security management, consult ISO/IEC 27002:2013: