Hands-on learning with Infosec Skills
Your Infosec Skills membership grants you access to:
• 270+ courses
• 40+ learning paths
• 100+ hands-on labs
• Certification practice exams
1. Definition & Intro
Information Security Policy (ISP) is a set of rules enacted by an organization to ensure that all users or networks of the IT structure within the organization’s domain abide by the prescriptions regarding the security of data stored digitally within the boundaries the organization stretches its authority.
An ISP is governing the protection of information, which is one of the many assets a corporation needs to protect. The present writing will discuss some of the most important aspects a person should take into account when contemplates developing an ISP. Putting to work the logical arguments of rationalization, one could say that a policy can be as broad as the creators want it to be: Basically, everything from A to Z in terms of IT security, and even more. For that reason, the emphasis here is placed on a few key elements, but you should make a mental note of the liberty of thought organizations have when they forge their own guidelines.
2 Elements of Information Security Policy
Institutions create ISPs for a variety of reasons:
- To establish a general approach to information security
- To detect and forestall the compromise of information security such as misuse of data, networks, computer systems and applications.
- To protect the reputation of the company with respect to its ethical and legal responsibilities.
- To observe the rights of the customers; providing effective mechanisms for responding to complaints and queries concerning real or perceived non-compliances with the policy is one way to achieve this objective.
ISP should address all data, programs, systems, facilities, other tech infrastructure, users of technology and third parties in a given organization, without exception.
2.3 Information security objectives
An organization that strive to compose a working ISP needs to have well-defined objectives concerning security and strategy on which management have reached an agreement. Any existing dissonances in this context may render the information security policy project dysfunctional. The most important thing that a security professional should remember is that his knowing the security management practices would allow him to incorporate them into the documents he is entrusted to draft, and that is a guarantee for completeness, quality and workability.
Simplification of policy language is one thing that may smooth away the differences and guarantee consensus among management staff. Consequently, ambiguous expressions are to be avoided. Beware also of the correct meaning of terms or common words. For instance, “musts” express negotiability, whereas “shoulds” denote certain level of discretion. Ideally, the policy should be briefly formulated to the point. Redundancy of the policy’s wording (e.g., pointless repetition in writing) should be avoided as well as it would make documents long-winded and out of sync, with illegibility that encumbers evolution. In the end, tons of details may impede the complete compliance at the policy level.
So how management views IT security seems to be one of the first steps when a person intends to enforce new rules in this department. Furthermore, a security professional should make sure that the ISP has an equal institutional gravity as other policies enacted within the corporation. In cases where an organization has sizeable structure, policies may differ and therefore be segregated in order to define the dealings in the intended subset of this organization.
Information security is deemed to safeguard three main objectives:
- Confidentiality – data and information assets must be confined to people authorized to access and not be disclosed to others;
- Integrity – keeping the data intact, complete and accurate, and IT systems operational;
Availability – an objective indicating that information or system is at disposal of authorized users when needed.
Donn Parker, one of the pioneers in the field of IT security, expanded this threefold paradigm by suggesting also “authenticity” and “utility”.
2.4 Authority & Access Control Policy
Typically, a security policy has a hierarchical pattern. It means that inferior staff is usually bound not to share the little amount of information they have unless explicitly authorized. Conversely, a senior manager may have enough authority to make a decision what data can be shared and with whom, which means that they are not tied down by the same information security policy terms. So the logic demands that ISP should address every basic position in the organization with specifications that will clarify their authoritative status.
Policy refinement takes place simultaneously with defining the administrative control, or authority in other words, people in the organization have. In essence, it is hierarchy-based delegation of control in which one may have authority over his own work, project manager has authority over project files belonging to a group he is appointed to, and the system administrator has authority solely over system files – a structure reminiscent of the separation of powers doctrine. Obviously, a user may have the “need-to-know” for a particular type of information. Therefore, data must have enough granularity attribute in order to allow the appropriate authorized access. This is the thin line of finding the delicate balance between permitting access to those who need to use the data as part of their job and denying such to unauthorized entities.
Access to company’s network and servers, whether or not in the physical sense of the word, should be via unique logins that require authentication in the form of either passwords, biometrics, ID cards, or tokens etc. Monitoring on all systems must be implemented to record logon attempts (both successful ones and failures) and exact date and time of logon and logoff.
Speaking of evolution in the previous point – as the IT security program matures, the policy may need updating. While doing so will not necessarily be tantamount to improvement in security, it is nevertheless a sensible recommendation.
2.5 Classification of Data
Data can have different value. Gradations in the value index may impose separation and specific handling regimes/procedures for each kind. An information classification system therefore may succeed to pay attention to protection of data that has significant importance for the organization, and leave out insignificant information that would otherwise overburden organization’s resources. Data classification policy may arrange the entire set of information as follows:
- High Risk Class– data protected by state and federal legislation (the Data Protection Act, HIPAA, FERPA) as well as financial, payroll, and personnel (privacy requirements) are included here.
- Confidential Class – the data in this class does not enjoy the privilege of being under the wing of law, but the data owner judges that it should be protected against unauthorized disclosure.
- Class Public – This information can be freely distributed.
Data owners should determine both the data classification and the exact measures a data custodian needs to take to preserve the integrity in accordance to that level.
2.6 Data Support & Operations
In this part we could find clauses that stipulate:
- The regulation of general system mechanisms responsible for data protection
- The data backup
- Movement of data
2.7 Security AwarenessSessions
Sharing IT security policies with staff is a critical step. Making them read and sign to acknowledge a document does not necessarily mean that they are familiar with and understand the new policies. A training session would engage employees in positive attitude to information security, which will ensure that they get a notion of the procedures and mechanisms in place to protect the data, for instance, levels of confidentiality and data sensitivity issues. Such an awareness training should touch on a broad scope of vital topics: how to collect/use/delete data, maintain data quality, records management, confidentiality, privacy, appropriate utilization of IT systems, correct usage social networking, etc. A small test at the end is perhaps a good idea.
2.8 Responsibilities, Rights and Duties of Personnel
General considerations in this direction lean towards responsibility of persons appointed to carry out the implementation, education, incident response, user access reviews, and periodic updates of an ISP.
Prevention of theft, information know-how and industrial secrets that could benefit competitors are among the most cited reasons why a business may want to employ an ISP to defend its digital assets and intellectual rights.
2.9 Reference to Relevant Legislation
2.10 Other Items that An ISP May Include:
Virus Protection Procedure, Intrusion Detection Procedure, Remote Work Procedure, Technical Guidelines, Audit, Employee Requirements, Consequences for Non-compliance, Disciplinary Actions, Terminated Employees, Physical Security of IT, References to Supporting Documents and so on.
Conclusion (Importance of ISP)
Out of carelessness mostly, many organizations without giving a much thought choose to download IT policy samples from a website and copy/paste this ready-made material in attempt to readjust somehow their objectives and policy goals to a mould that is usually crude and has too broad-spectrum protection. Understandably, if the fit is not a quite right, the dress would eventually slip off.
A high-grade ISP can make the difference between growing business and successful one. Improved efficiency, increased productivity, clarity of the objectives each entity has, understanding what IT and data should be secured and why, identifying the type and levels of security required and defining the applicable information security best practices are enough reasons to back up this statement. To put a period to this topic in simple terms, let’s say that if you want to lead a prosperous company in today’s digital era, you certainly need to have a good information security policy.
Bayuk J. (2009). How to Write an Information Security Policy. Retrieved on 04/06/2014 from http://www.csoonline.com/article/2124114/strategic-planning-erm/how-to-write-an-information-security-policy.html?page=2
Entrepreneur. Information Technology Security Policy. Retrieved on 04/06/2014 from http://www.entrepreneur.com/formnet/form/731
IG Toolkit (2007). NHS CFH_Corporate InfoSec Policy Template 2007. Retrieved on 04/06/2014 from https://www.google.bg/?gfe_rd=cr&ei=kNYlU52dLOPb8gf93oG4CQ#q=NHS+CFH_Corporate+InfoSec+Policy+Template+2007
Olson, I & Abrams, M. Information Security Policy. Retrieved on 04/06/2014 from http://www.acsac.org/secshelf/book001/07.pdf
Perkins, J. (2013). Information Security Policy. Retrieved on 04/06/2014 from http://www.lse.ac.uk/intranet/LSEServices/policies/pdfs/school/infSecStaIT.pdf
Scott, A. (2013). How to create a good information security policy. Retrieved on 04/06/2014 fromhttp://www.computerweekly.com/feature/How-to-create-a-good-information-security-policy
Sophos Ltd. SophosLabs Information Security Policy.Retrieved on 04/06/2014 fromhttp://www.sophos.com/en-us/legal/sophoslabs-information-security-policy.aspx
Techopedia. Information Security Policy. Retrieved on 04/06/2014 from http://www.techopedia.com/definition/24838/information-security-policy
Timms, N. (2014). Secure Networks: How to Develop an Information Security Policy. Retrieved on 04/06/2014 from http://www.networkcomputing.com/secure-networks-how-to-develop-an-information-security-policy/a/d-id/1234642?
The University of Illinois (2014). Information Security Policy – The University of Illinois. Retrieved on 04/06/2014 from http://www.obfs.uillinois.edu/cms/one.aspx?portalId=909965&pageId=914038
University of Oxford (2012). Information Security Policy. Retrieved on 04/06/2014 from http://www.it.ox.ac.uk/media/global/wwwitservicesoxacuk/sectionimages/security/Information_Security_Policy_2012_07.pdf
The background image in Diagram 2 is made by geralt.Retrieved on 04/06/2014 from http://pixabay.com/en/man-businessmen-woman-economy-162951/