There are several considerations for companies creating an information security policy. So, how can organisations ensure they have a strong policy in place which reflects the needs of the business?

There is a well-used saying in cyber security: cyber-attacks aren’t a matter of if, but when. Over the last few years, companies have started to build their risk management strategies in line with this.

Yet, while organisations can’t always prevent cyber-attacks, they can do their best to limit the damage when they are hit. One way of doing this is through a strong information security policy to protect the business. The benefits of doing so are multiple, including limiting risk and reducing costs while keeping in line with regulatory requirements.

A strong information security policy limits a firm’s risk and exposure, says Jason Manar, CISO at Kaseya. “A single intrusion can prove devastating to a business, and a strong policy helps mitigate both cost and reputational damage.”

Creating a strong information security policy sets the tone for an organisation by defining the culture, values and expectations, says Sam Peters, chief product officer at ISMS.online. He says it is also an essential tool to comply with industry regulations and ensure a robust security posture. “An effective information security policy provides clarity and removes inconsistent behaviours at all levels of the business by clearly outlining what the organisation expects, what’s prohibited and who is responsible.”

There are several considerations for companies creating an information security policy. So, how can organisations ensure they have a strong policy in place that reflects the needs of the business?

 

Information security policy – pitfalls to avoid

There are common pitfalls to avoid when establishing an information security policy. Many firms create over-complicated policies that are difficult to understand. Still, in most cases, less is more, says Steven Furnell, IEEE senior member and professor of cyber security at the University of Nottingham. “It is better to have a selection of smaller and more digestible policies, rather than trying to throw everything into one ‘mega-policy’,” he says.

He suggests the information security policy can be the “high-level” document, in addition to a range of more specific security policies for particular topics. “This could include policies for home working or the use of mobile devices, which staff can then read according to their needs or daily activities.”

Avoid using technical jargon

When creating the security policy, it’s important to be clear. Companies should avoid using technical jargon and legal speak, says Peters.

Complex or unclear policies tend to create a culture of “security is too hard to get right,” Peters explains. “The policies are then seen as a barrier to getting business done, which increases your risk level if staff try to work around them.”

Most weak policies have a common pitfall: a lack of clear business purpose, says Will Dixon, global head of the academy and community at ISTARI. “Being ambiguous about the business purpose of any information policy causes people to bypass it.

Instead, your information security policy must have a clear, easy-to-understand purpose which everyone in the business can comprehend.

“It can be designed to prevent information security breaches, protect the organisation’s reputation or uphold regulatory requirements,” Dixon suggests.

It’s also key to take into account that a strong information security policy needs to be constantly updated. Weak policies make the mistake of taking a “set it and forget it” approach, says Manar. “A policy needs to be regularly reviewed and audited to ensure it is having its intended purpose. If not, it’s an ineffective policy.” 

 

Establishing an information security policy

When establishing an information security policy, assessing the organisation’s risk landscape is one of the best places to start, Peters says. This is true whether you’re looking to create an information security policy from scratch or want to review if an existing one meets your organisation’s needs, he says.

According to Peters, firms should start by determining their internal vulnerabilities, areas of concern, and external supply chain exposure – considering the risks from a data breach through to the chances of a total system outage.

As part of this, firms can consider the common cyber security threats faced by all businesses and take into account the industry they operate in. “Then you can think about how any identified risks would impact the confidentiality, integrity and availability of your data and systems,” Peters advises.

It makes sense to use frameworks, such as the ISO/IEC 27001 standards for information security management systems. “This helps ensure you’re addressing all relevant elements required for an effective information security policy,” says Peters.

A wealth of resources is available to information security managers to design or enhance their current policies, Dixon says. He cites the example of the SANS Institute, which offers free compliance frameworks with information security requirements available as reference documents.

When establishing the policy, Manar advises asking a few questions:

  • What do you want the policy to do?
  • Who is it for?
  • What are the objectives you hope to accomplish?

“You need to account for things such as authority, access control and network security policies, data classification and protection, data backup, and how you move and secure data,” says Dixon.

The policy should also include security awareness training and how frequently it needs to be carried out, as well as encryption practices. Meanwhile, roles and responsibilities must be “clearly defined for personnel”, says Manar.

At the same time, Brian Ventura, a certified instructor at SANS Institute, says the policies you create must be enforced. “The organisation must identify gaps in policy application and build plans and projects to apply it.”

It’s also important to remember that buy-in is integral. Ideally, IT needs to work with the business to ensure the security policy reflects what it wants to say, says Furnell. “The organisation needs to endorse the policy, promote it and provide the support for people to understand and comply with it from the start.”

The most effective information security policy is created collaboratively within an organisation, agrees Peters. “Buy-in from all critical business functions is essential to ensure any policy delivers clarity of requirement, consistency of behaviour and meets all regulatory compliance needs.”

This article first appeared in InformationAge.