An information security policy (ISP) is a set of rules, policies and procedures designed to ensure all users and networks within an organization meet minimum IT security and data protection security requirements.ISPs should address all data, programs, systems, facilities, infrastructure, users, third-parties and fourth-parties of an organization.
What is the purpose of an information security policy?
An information security policy aims to enact protections and limit the distribution of data to only those with authorized access. Organizations create ISPs to:
Establish a general approach to information security
Document security measures and user access control policies
Detect and minimize the impact of compromised information assets such as misuse of data, networks, mobile devices, computers and applications
Protect the reputation of the organization
Comply with legal and regulatory requirements like NIST, GDPR, PDPA ( Malaysia) HIPAA and FERPA
Protect their customer's data, such as credit card numbers
Provide effective mechanisms to respond to complaints and queries related to real or perceived cyber security risks such as phishing, malware and ransomware
Limit access to key information technology assets to those who have an acceptable use
Why is an information security policy is important?
Creating an effective information security policy and ensuring compliance is a critical step in preventing security incidents like data leaks and data breaches. ISPs are important for new and established organizations. Increasing digitalization means every employee is generating data and a portion of that data must be protected from unauthorized access. Depending on your industry, it may even be protected by laws and regulations.
Sensitive data, personally identifiable information (PII), and intellectual property must be protected to a higher standard than other data.
Whether you like it or not, information security (InfoSec) is important at every level of your organization. And outside of your organization.
What are the key elements of an information security policy?
An information security policy can be as broad as you want it to be. It can cover IT security and/or physical security, as well as social media usage, lifecycle management and security training. In general, an information security policy will have these nine key elements:
Information security objectives
Authority and access control policy
Data support and operations
Security awareness training
Responsibilities and duties of employees
Other items an ISP may include
Outline the purpose of your information security policy which could be to:
Create an organizational model for information security
Detect and preempt information security breaches caused by third-party vendors, misuse of networks, data, applications, computer systems and mobile devices.
Protect the organization's reputation
Uphold ethical, legal and regulatory requirements
Protect customer data and respond to inquiries and complaints about non-compliance of security requirements and data protection
Define who the information security policy applies to and who it does not apply to. You may be tempted to say that third-party vendors are not included as part of your information security policy.
This may not be a great idea. Whether or not you have a legal or regulatory duty to protect your customer's data from third-party data breaches and data leaks isn't important. Customers may still blame your organization for breaches that were not in your total control and the reputational damage can be huge.
3. Information security objectives
These are the goals management has agreed upon, as well as the strategies used to achieve them.
In the end, information security is concerned with the CIA triad:
Confidentiality: data and information are protected from unauthorized access
Integrity: Data is intact, complete and accurate
Availability: IT systems are available when needed
4. Authority and access control policy
This part is about deciding who has the authority to decide what data can be shared and what can't. Remember, this may not be always up to your organization. For example, if you are the CSO at a Airline Company. You likely need to comply with PDPA and its data protection requirements for passenger data. If you store passenger records, they can't be shared with an unauthorized party whether in person or online.
An access control policy can help outline the level of authority ( Please read the related Article on the same) over data and IT systems for every level of your organization. It should outline how to handle sensitive data, who is responsible for security controls, what access control is in place and what security standards are acceptable.
It may also include a network security policy that outlines who can have access to company networks and servers, as well as what authentication requirements are needed including strong password requirements, biometrics, ID cards and access tokens. In some cases, employees are contractually bound to comply with the information security policy before being granted access to any information systems and data centers.
5. Data classification
An information security policy must classify data into categories. A good way to classify the data is into five levels that dictate an increasing need for protection:
Level 1: Public information
Level 2: Information your organization has chosen to keep confidential but disclosure would not cause material harm
Level 3: Information has a risk of material harm to individuals or your organization if disclosed
Level 4: Information has a high risk of causing serious harm to individuals or your organization if disclosed
Level 5: Information will cause severe harm to individuals or your organization if disclosed
In this classification, levels 2-5 would be classified as confidential information and would need some form of protection.
6. Data support and operations
Once data has been classified, you need to outline how data is each level will be handled. There are generally three components to this part of your information security policy:
Data protection regulations: Organizations that store personally identifiable information (PII) or sensitive data must be protected according to organizational standards, best practices, industry compliance standards and regulation. Please refer to PDPA Act if you are in Malaysia.
Data backup requirements: Outlines how data is backed up, what level of encryption is used and what third-party service providers are used
Movement of data: Outlines how data is communicated. Data that is deemed classified in the above data classification should be securely communicated with encryption and not transmitted across public networks to avoid man-in-the-middle attacks
7. Security awareness training
A perfect information security policy that no one follows is no better than having no policy at all. You need your staff to understand what is required of them. Training should be conducted to inform employees of security requirements, including data protection, data classification, access control and general cyber threats.
Security training should include:
Social engineering: Teach your employees about phishing, spearphishing and other common social engineering cyber attacks
Clean desk policy: Laptops should be taken home and documents shouldn't be left on desks at the end of the work day
Acceptable usage: What can employees use their work devices and Internet for and what is restricted?
8. Responsibilities and duties of employees
This is where you operationalize your information security policy. This part of your information security policy needs to outline the owners of:
Acceptable use policies
9. Other items an ISP may include
Virus protection procedure, malware protection procedure, network intrusion detection procedure, remote work procedure, technical guidelines, consequences for non-compliance, physical security requirements, references to supporting documents, etc.
What are the best practices for information security management?
A mature information security policy will outline or refer to the following policies:
Acceptable use policy (AUP): Outlines the constraints an employee must agree to use a corporate computer and/or network
Access control policy (ACP): Outlines access controls to an organization's data and information systems
Change management policy: Refers to the formal process for making changes to IT, software development and security
Information security policy: High-level policy that covers a large number of security controls
Incident response (IR) policy: An organized approach to how the organization will manage and remediate an incident
Remote access policy: Outlines acceptable methods of remotely connecting to internal networks
Email/communication policy: Outlines how employees can use the business's chosen electronic communication channel such as email, slack or social media
Disaster recovery policy: Outlines the organization's cybersecurity and IT teams input into an overall business continuity plan
Business continuity plan (BCP): Coordinates efforts across the organization and is used in the event of a disaster to restore the business to a working order
Data classification policy: Outlines how your organization classifies its data
IT operations and administration policy: Outlines how all departments and IT work together to meet compliance and security requirements.
SaaS and cloud policy: Provides the organization with clear cloud and SaaS adoption guidelines, this helps mitigate third-party and fourth-party risk
Identity access and management (IAM) policy: Outlines how IT administrators authorize systems and applications to the right employees and how employees create passwords to comply with security standards
Data security policy: Outlines the technical requirements and acceptable minimum standards for data security to comply with relevant laws and regulations
Privacy regulations: Outlines how the organization complies with government-enforce regulations such as GDPR or PDPA ( Malaysia ) that are designed to protect customer privacy
Personal and mobile devices policy: Outlines if employees are allowed to use personal devices to access company infrastructure and how to reduce the risk of exposure from employee owned assets