How do we develop information security policies?

There are many excellent references with detailed instructions on how to develop information security policies.  For example, Information Security Policies Made Easy (ISPME) has a detailed, step-by-step guide written by Charles Cresson Wood. In general, the process involves five key steps:

First, define what security policies you need to have, either from a regulatory requirement or as the result of a risk assessment.

Second, assemble a team of individuals who will be responsible or authoring, reviewing and approving the writing policies.

Third, write the specific policies that you need.  You can either write them from “scratch” or adapt them from other security policies, such as the security policy templates found in ISPME.

Fourth, the written policies need to be reviewed and finalized, with a member of senior management being responsible for approving the published versions.

Finally, once the security policies have been approved and published, they must be rolled out to each member of the organization.   This final step is critical.  Information security policies are designed to be read and followed by people.  If all of your employees and temporary workers are not made aware of the policies, they be ineffective.   Even worse, in the event of a serious data breach, management may be liable for damages if people are not made aware of the information security policies that apply to them.