Information security policies are one of an organisation’s essential defences, because employee error accounts for or exacerbates a substantial number of security incidents.
Whether they ’ re making honest mistakes, ignoring instructions or acting maliciously, e mployees are always liable to compromise information .
T echnological defences can help mitigate the damage , but effective information security policies and procedures must accompany these.
An information security policy establishes an organisation’s aims and objectives on various security concerns.
For example, a policy might outline rules for creating passwords or state that portable devices must be protect ed when out of the premises.
Unlike pro cesses and procedures, policies don’t include instructions on how to mitigate risks.
Instead , they acknowledge which risks the organisation intends to address and broadly explains the method that will be used.
Those looking to create an information security policy should review ISO 27001, the international standard for information security management.
Although the Standard doesn’t list specific issues that must be covered in an information security policy , it provides a framework that you can build around.
If you follow ISO 27001’s advice, your information security policy will:
Your policies will depend on your organisation’s needs, so it’s impossible to say which ones are mandatory.
However, some risks are so common that they’re practically universal. For example, you will almost certainly need policies on:
If employees are permitted to work remotely – or if you give them the op tion of check ing their work emails in their spare time – you will need a remote access policy.
This policy addresses the vulnerabilities that occur when employees aren’t protected by the organisation’s physical and network security provisions .
For example, an employee working on a crowded train might expose sensitive information to someone peer ing over their shoulder .
Likewise, an opportunist criminal might steal the employee’s device if it’s left unattended .
There’s also the risk that a criminal hacker could access information by compromis ing the public Wi-Fi and conducting a man-in-the-middle attack .
The policy will therefore need to set out the organisation’s position on accessing the network remotely. It might, for instance, say that remote access is forbidden, that it can only be done over VPN, or that only certain parts of the network should be accessible remotely.
Practically every organisation gives its employees user account s that give them access to sensitive information .
But unless employees secure these accounts with strong passwords , criminal hackers will be able to crack them in seconds . Organisations must mitigate this risk by creating strict rules on what constitutes an acceptable password .
But it’s no good getting everyone in the organisation to create strong passwords if they use them for multiple accounts or leave them written down where someone might see them.
Your password policy should acknowledge the risks that come with poor credential habits and establish means of mitigating the risk of password breaches.
Managers often worry about staff doing non-work-related activities during office hours. However, they should be more concerned about what employees are doing than when they’re doing it.
Organisations have generally come to accept that employee s will occasionally check their personal email or Facebook feed .
But they should draw the line at activities that could affect the organisation’s security, like visiting dodgy website s , installing potentially insecure apps or sharing work information with people who don’t work at the organisation .
You can prevent much of the risk by blocking certain websites. However, this isn’t a fool-poof system, so you should also include a policy prohibiting employees from visiting any site that you deem unsafe.
Documenting your policies takes a lot of time and effort, and you might still overlook key policies or fail to address important issues. That’s why it’s a good idea to work with trusted information security experts like us.
Our ISO 27001 Information Security Policy Template gives you a head start on your documentation process.
Written according to the best practices outlined in ISO 2700 2 , this template gives essential security guidance that you can customise to suit your organisation in minutes.
A version of this blog was originally published on 5 September 2019.
might be easier than you think" width="211" height="150" />
Luke Irwin is a former writer for IT Governance. He has a master’s degree in Critical Theory and Cultural Studies, specialising in aesthetics and technology.
