Click to learn more about author Grace Carter.
Your company’s information is extremely important, and writing an information security policy is paramount to keeping it secure. You will need to figure out how management views security, get a good framework, and then adapt it to the company. Decide on your mandates, sub-policies, and supplementary documents. Then you can design a policy with all the crucial elements, taking great care when writing and editing to ensure it is strong.
The first thing to be done is to find out how management views security. The security professional writing the policy has the job of being a good listener and understanding how management, as a whole, wants information to be protected. Key to this process is asking the right questions. Ask questions about the type of information that needs to be protected and about which are the highest priority, perhaps in need of extra protection.
Your Security Framework
“A good starting point is to use a security industry standards document, such as as a framework. Frameworks are seen as a plus by actors such as external auditors, but they alone do not make a good policy. These kinds of documents are generic and so must be combined with input from management. The best way to fit the two together is for the security professional to incorporate the standards document into the client organization’s existing structure and philosophy,” recommends Janet Holt, writer at .
Getting the mandates right is the most important aspect of your information security policy. An information security policy functions best when it exists as a small set of mandates that can be agreed on by everyone. The alternative is a policy that is too far-reaching and specific to ever function as a compliance document. A policy that lacks these kinds of mandates will soon contain so many exceptions that it will cease to function properly. The goal of a security professional is, after all, to ensure that the information security policy is observed to the same degree as other policies at the company.
In a large organization it will likely be necessary to divide the policy into sub-policies. Different parts of the organization, perhaps located in different parts of the world, will have different characteristics and requirements and thus require sub-policies. Make sure sub-policies do not repeat what is in the global policy. This kind of repetition is dangerous as it will cause sub-policies to diverge as they change over time.
Information security directives can sometimes be interpreted in multiple ways. To alleviate confusion, it is necessary to draw up supplementary documents, rather than enact sub-policies. Supplementary documents include: roles and responsibilities, technology standards, process, procedures, and guidelines.
Breaking Down an Information Security Policy
An information security policy must include scope, describing what information, facilities, and networks are covered. Information classification must be included and be content specific rather than generic. The policy must have management’s goals as its guide for each classification category (e.g. legal). An information security policy must fit into the context of desired management directives. References to supporting documents must be included, as well as instructions about organization-wide security mandates.
Writing Your Information Security Policy
Writing an important document such as an information security policy should not be approached lightly. This document will be responsible for protecting resources that are crucial to the organization and so it must be done professionally and thoroughly. You will want to make sure you have a good handle on proper writing, grammar, proofreading, formatting, and editing. You do not want to compromise the integrity of your information security policy due to an error or poor phrasing. Here are some reliable and helpful resources to get you started.
The Finished Product
Your information security policy is vital to the organization’s existence, so approach the writing of it this way. We live in the age of information so protecting it has become a top priority. There is no need to worry if you follow the crucial steps; your information will be secure. Syncing management’s priorities with a solid established framework that prioritizes mandates, while including room for sub-policies and supplementary documents will create an information security policy any company can depend on.