Information security policies are a necessary evil.
The trouble is that very few organizations take the time and trouble to create decent policies; instead they are happy to download examples and cut and paste as they see fit. The resulting mess is often no good to anyone, and can often leave the business open to unforeseen issues.
Let’s look at a common scenario:
Your organization has been informed that you have to validate your compliance with the Payment Card Industry Data Security Standard (PCI-DSS). One of the daunting tasks ahead of you is having a policy in place that covers how your organization addresses all twelve requirements of the standard.
Do you have one in place?
You’re in luck! Consider this your quick information security policy cheat sheet. In my opinion, the following are the bare minimum policy components required to start building an effective information security policy, which will meet the requirements of many frameworks (not just PCI-DSS).
This section simply describes the reason why the policy exists (the “why”).
Scope and Applicability
This section states what assets, infrastructure, and personnel are covered by the policy (the “where”).
This section contains the overall body of the policy (the “what”).
Roles and Responsibilities
This sections contains information in regards to what roles (ie. IT Security Department, Helpdesk, etc.) are involved and what their responsibilities are in relation to the policy (the “who”).
Maintenance and Review
This section describes the frequency at which the policy is reviewed (preferably annually and/or after any significant changes have been made that will impact the policy).
References and Supporting Documentation
This section lists any related policies and/or procedures.
Terms & Definitions
This section lists any relevant terms and definitions contained in the policy.
A policy document should be a simple statement of the businesses position on the chosen topic, not to be confused with the procedural documentation which deals with how the policy is to be enacted. Procedures are sometimes necessarily much longer documents if they are describing processes which must be followed. System-specific security policies and corresponding procedures tend to fall into this category.
Ideally, the policy should be brief and to the point about the user’s responsibilities towards the information they collect, use, access or otherwise process, and to point them to the other relevant policies and procedures for the areas in which they operate.
By following these ideas, you should be able to create an effective information security policy, but more importantly have employees that are effectively looking after your organization’s assets. Information security policies provide vital support to security professionals as they strive to reduce the risk profile of a business and fend off both internal and external threats.
In short, what makes a good policy?