An information security policy is a document that explains procedures designed to protect a company's physical and information technology resources and assets. It provides employees with clear instructions about acceptable use of company confidential information, explains how the company secures data resources and what it expects of the people who work with this information. Most importantly, the policy is designed with enough flexibility to be amended when necessary.
The first step in developing an information security policy is conducting a risk assessment to identify vulnerabilities and areas of concern. An effective policy will use information discovered during the assessment to explain its purpose, define the policy scope, indicate responsible individuals and departments, and include a method of measuring compliance.
Some employees may not understand the importance of managing confidential information, so an introductory section that explains the purpose of the document is essential. All employees need to understand the importance of reducing errors, reducing cost of downtime, improving recovery time and remaining compliant with regulations. The audience for this portion of the document includes every person in the organization.
The policy scope identifies what needs to be protected, where it is and who is ultimately responsible. It addresses employees, technology, local and remote facilities and business processes. It may specify anti-virus programs, password rotation methodology and who has physical access to records.
The responsibility and the compliance sections of the policy typically address individuals or departments. Supervisors or department managers may be charged with these duties, or they may be given to a dedicated security group or department.
A surprising number of companies develop information security through an ad hoc approach, leaving it up to users and their common sense. Companies doing this often experience virus attacks, have workstations disabled by malware and experience server downtime on a regular basis. Major corporations that lack a meaningful information security policy are also at risk of being victimized by organized crime. The bigger the organization the more likely they will become a target.
There are many different types of attacks, such as phishing, keylogging, password hacking or the introduction of a Trojan virus that can mine databases for credit card numbers and passwords. Success using any of these methods can mean substantial loss of assets for the company and a negative impact on their overall reputation.
A typical rollout sequence begins with an announcement followed by meetings with management and staff. Training sessions may follow. A security baseline is established along with procedures and guidelines. Since the policy is a living document, procedures may be modified when monitoring identifies a weakness or non-compliance issue. This may lead to additional training for specific departments.
All organizations should handle their information and the information of their clients and customers in a responsible manner. Consumers, businesses and governments are stakeholders in these activities and there is a high demand for technical professionals with respectable information security education and training. These positions require individuals with a specific skill set, often obtained through experience, training and certification.