How to develop an effective information security policy

With cyber threats looming, you need to be proactive in protecting your organization. Writing or updating your information security policy is the place to start.

December 23, 2020

Article highlights

A new cyber attack starts every four seconds, according to the latest research. Meaning that in the time it took you to read that sentence, another attack began.

The news doesn’t get any better from there. Some 25,000 unique malicious applications are detected and blocked every day. More than 65 percent of organizations worldwide have experienced a cyber attack. And ransomware attacks are increasing by 400 percent every year.

While most of these attacks fail, the ones that succeed have a staggering cost for organizations, at an estimated $4.24 million per breach. And some are far greater.

Canadian lender Desjardins Group recently revealed it had spent … $53 million in the wake of a breach earlier in the year that exposed personal information of 2.9 million members. Manufacturer Norsk Hydro said the final bill for its crippling cyberattack could be as high as $75 million. British Airways and Marriott have had to add $100 million each onto the final cost of their incidents after falling foul of GDPR.

The silver lining is that you can take steps to be ready for the attacks that will inevitably come. Cyber criminals target the weak points in your security: human errors, outdated software, and weak passwords. So, preparation starts with an information security policy, which serves as a guidebook for your employees and IT department to use best security practices.

In this article, we’ll explore the different types of information security policies, the key aspects of them, and their importance for different industries. We’ll also delve into the best practices for developing your own information security policy.

It’s important work to undertake. Because, as you’ve seen, every second counts.

Which type of policy do you need?

A first step in considering an IT security policy is to decide which type will best serve your needs. There are different kinds of policies, and they serve different purposes. It’s worth taking a moment at the start to look at these terms so that you understand what best suits you.

First, let’s examine the difference between cyber security and information security.

Cybersecurity vs. information security

Cybersecurity is the effort to protect all attacks that occur in cyberspace, such as phishing, hacking, and malware. These attacks target data, storage, and devices most frequently. The effort of cybersecurity is to safeguard all of your digital, connected systems, which can mean actively combatting the attacks that target your operation. 

Information security, on the other hand, deals with protecting your organization’s information, whether that is digital or analog. This usually means controlling access, disclosures, and disruption. Think of it as the foundation of creating safeguards around the data and information that is essential to your operation through the use of tools such as encryption, two-factor authentication, and facial scans.

Information technology vs. information security

The difference between information technology and information security is also worth exploring. 

Information security deals with security issues around your data to make sure it is protected from potential attacks.

Information technology, on the other hand, is a term that encompasses all of the technology and devices that you use in the course of your operation.

When you’re developing policies, it’s important to be clear in the terms you use and the areas of your operation that each address.

What is an information security policy?

An information security policy combines the rules, regulations, and procedures you follow into a clear and concise document. It acts as a resource for employees, outlining how your organization stores, protects, and disseminates information, as well as expectations for employees.

Put more simply, it is the plan of action you put in place that instructs your employees on how to keep your data and technology protected against outside threats.

According to Netwrix, information security also depends significantly upon each organization’s specific structure and needs.

Since organizations have different business requirements, compliance obligations and staffing, there is no single information security policy that works for everyone. Instead, each IT department should determine the policy choices that serve their particular needs the best and create a straightforward document that is approved by high-level stakeholders.

An information security policy should:

  • Protect the confidentiality and integrity of your data
  • Minimize the risk of security breaches
  • Plan for digital security across your whole organization
  • Help with regulatory compliance

Importance of an information security policy

Employees don’t intend to open the door to security threats, but cyber criminals are savvy in attacking human weakness and error, as well as looking for soft spots in your digital infrastructure. Unfortunately, it only takes one slip up to create a breach and open your organization to the risk of huge financial ramifications.

Creating an IT security policy arms your employees with the information, training, and tools that they need to identify and avoid threats. With clear policy and practices, employees are more likely to comply with guidelines. An information security policy also standardizes procedures so that you will be more consistent in mitigating risk.

Put simply, it’s making the effort to prevent a problem rather than waiting to react after you’ve been attacked and struggling to manage the fallout. In addition to the financial cost, suffering a cyber attack can bring a serious loss of reputation as customers lose faith in your ability to protect their personal information.

You can think of an information security policy as a battle plan. Attackers are coming for you, like it or not. The only question is how prepared you are to defend the resources and reputation of your company.

Higher risk in certain industries

Unfortunately, some industries are particular targets of cyber criminals because of how valuable their information is.

Healthcare has been increasingly targeted by hackers, because patient privacy data is particularly valuable to exploit. This risk is magnified because such data is protected by HIPAA, meaning any provider that is breached faces financial losses, damage to reputation, and potential fines.

Government agencies are under attack from cyber criminals as well. In one instance, the city of Atlanta, Georgia, was hacked by a ransomware attack. Once breached, agencies face the choice of either losing all data or paying the ransom to their attackers.

To go deeper into the importance of information security policies, check out the PowerDMS Entrust Compliance Podcast.

How to: Information security policy development

By now you understand how grave the threat is and you’re ready to develop your own information security policy. Let’s look at the process step by step.

1. Start with an assessment

Often, organizations will want to begin with a risk assessment. In this stage, you go through your entire operation and identify all sensitive information. This could be private customer data, corporate records, financial documents, or other information that is proprietary and private. 

Once that is complete, you need to create a record of all of your systems, devices, and technology. Where and how do users access this data? What are the weak points that hackers will target? And what security systems do you already have in place?

Next, you need to evaluate what are and are not acceptable risks. The policy needs to be a balance of getting work done effectively and efficiently while providing the organization with an appropriate amount of protection against security threats.

This takes a collaborative process between key groups within the company to ensure multiple perspectives are heard, not just the security or compliance team making the policy in a vacuum.

Research by Kaspersky echoes this point, stating “this business vulnerability must be addressed on many levels, not just through the IT security department.”

2. Consider applicable laws and guidelines

Next, you should look at all local, state, and federal laws, as well as applicable industry standards, that cover information security. 

For instance, healthcare providers should consult HIPAA standards to make sure their IT security efforts meet what is required.

3. Include all appropriate elements

Not sure what to include in a corporate computer security policy? Use this list of common elements that appear in most standard security policies as a guideline.

  • Acceptable Use Policy (AUP): This policy governs how employees can use a website, network, or internet service. It might outline, for example, what types of files users can upload or download, or might prohibit harassing others or leaking company information. You might want to check out the detailed example from the SANS Institute of what an AUP looks like.
  • Access Control Policy (ACP): This policy outlines who has access to what information within your company and how this is monitored and controlled. To get a feel for what an ACP looks like, you might want to check out this example from the International Association of Privacy Professionals.
  • Passwords: This policy highlights what rules and processes you put around password security. For example, what are your requirements for safe passwords and how often should employees update them?
  • Antivirus Software: This policy emphasizes whether or not antivirus software is required on each employee’s computer and explains why or why not.
  • Remote Access: This lays some ground rules on whether workers can access sensitive data outside the office firewall or if they need a virtual private network (VPN) to securely access corporate resources. It also addresses access issues pertaining to mobile devices.
  • BYOD (Bring Your Own Device): This policy delineates how and when employees can use their own technology to conduct company business and access company information.
  • Auditing and Policy Review: This underscores how – and how often – you’ll monitor and review your IT security policy. Because threats are constantly changing, this policy needs to be “a living document” that is regularly reviewed to ensure it stays up-to-date.
  • Enforcement: This explains how you plan to hold people accountable for following your computer security policies and procedures. It also clarifies what actions you’ll take if they don’t comply.

Because you can’t take a one-size-fits-all approach to develop an information security policy, you might need to include some additional elements depending on your individual circumstances. For instance, you might need to include policy components such as:

  • Security Profiles
  • Physical Security
  • Monitoring and Intrusion Detection
  • Disaster Recovery

4. Learn from others

You don’t have to go it alone in this cybersecurity policy development. It can be helpful to review an IT security policy template to see how others have approached this work.

For example, the organization SANS has several policy templates available. Another is the NIST Cybersecurity Framework.

While these are great starting points, remember that the structure and needs of your organization are unique, and no template can fit it exactly.

5. Develop an implementation and communication plan

Once you have your policy in place, you need to implement your policies with minimal disruption to your company’s workflow. Remember, this policy will directly impact employees and their work, so you need to make these changes easy for them to adopt.

It’s imperative that employees first understand the reasons behind the changes. Clearly explain why the company needs these policies, what’s at risk without them, and their role in protecting the company and its assets.

Next, employees need to comprehend the new policies and procedures. Make sure they’re written in easy-to-understand language and in a way that shows how these policies impact their daily routines.

Finally, they need to know where to go to find the policies when they have a question. That’s where PowerDMS can help. We provide a secure, online repository to store, manage, and disseminate all of your most important content – including your IT security policy. Our policy management solution makes it easy to find, easy to update, and easy to communicate what has changed and when.

6. Conduct regular security training

Part of creating a security-aware workforce means you need to regularly train your employees on security issues. It’s not enough to release a policy and assume everyone will comply all the time.

You need to provide ongoing training to teach employees the new policies and procedures and get them to understand the risks they can help mitigate. In most cases, this can be done annually. But for those in high-risk areas or with stricter access-control rules, this may need to be done more regularly and should definitely be a part of all new-hire onboarding.

This is where a policy management software like PowerDMS can help you create, deliver, test, and track training online, which streamlines the entire process and helps you save time and money. With online training delivery and powerful tracking, you can easily see who’s completed training and easily follow up with those who haven’t. Plus, you can measure training impact to boost retention.

While we can’t stop cyber criminals from targeting businesses and government agencies, we can prepare ourselves to stymie those attacks. Developing an information security policy and activating it within your organization will leave you prepared for when those attacks happen.

Now that you’re well versed in IT security policies, be sure to check out our article 10 essential policies for your organization to learn about other critical areas.

Related Article

Footer CTA Image

Start writing more effective policies

Start writing more effective policies

Write policies and procedures that better protect your organization and employees with our free 12-page guide.

Download Free Guide

Schedule a Consultation!

Everything you need to train, equip, and protect your public safety employees in a single system – from the moment they’re hired until they retire. Schedule a consultation to learn how PowerDMS can benefit you.