Key Elements of Information Security Policies

What is an information security policy?

An Information Security Policy is a formal document that defines controls within your information security program. An information security policy is a high-level business rule that must be followed by the organization.

Example Policy: All Company X user accounts must be approves by a member of the information technology department.

In the above example, the policy is designed to make sure that all user accounts are formally approved before being granted. This is an example of an “Access Control Policy”. Notice that the policy statement does not specify a specific system or technology.

Key Point: Information Security Policies should not be dependent on a specific technical platform.

Why is an information security policy important?

Information security policies are required to formally document your information security program. They are also required to communicate cyber security requirements to end users and third-parties. In fact, information security policies are essentially written contracts with employees, third-parties and management specifying how information security will be implemented.

For example “Acceptable Use Policies” are designed to educate users on how to protect information. “Incident Response Policies” defined how the organization will respond to potential security problems. Your information security key policies are used to communicate to third-parties such as external auditors. For example, if your organization is trying to obtain a SOC 2 Audit, a SOC 1 report is required first and based on your information security policies.

Key Point: Information Security Policies are essential pieces of evidence to support validation of your program. They are required for both SOC II and ISO 27001.

What should an information security policy include?

An information security policy should contain several key sections that allow the policy documents to be managed and approved.

Purpose: The overall objectives of the policy, including why it is important.

Scope: The scope of the organization that the policies covers. For example, “All employees with access to sensitive information” or “Add production information systems”

Policy: This section contains the individual policy statements. Policy statements should be nor more than one to three clear sentences that address the control objective.

Policy Violations: This section most outline the consequences of non-compliance with security policy.

Approval: Who in the organization has approved the policy. This should be a member of senior management, ideally the CEO or CSO.

Revision History: A history of revisions to the policy including dates and people responsible.

While information security policies can include other sections, the previous set should be considered the absolute minimum for any viable cyber security policy.

How many information security policies should we have?

The number of information security policies can vary based on the needs of the organization. In general, a policy document should cover all of the controls from a single area, such as Access Control or Personnel Security. Based on our experience, the organization should have between 10 and 20 policy documents. These generally line up with the number of categories in key frameworks such as ISO 27002 or NIST CSF. Policy documents should also be small enough so that they cover a single topic but are also easy to read and understand. Thus, security policy documents should never be longer than a few pages.

Key Point: Information security policies should be between 1 and 5 pages in length.

What is the difference between a security policy and a standard?

A common mistake is to mix information security policies, standards and procedures within a single document. Information security policies should refer to information security standards and procedures, but not include them. For example:

Sample Policy: All production information systems must be configured according to Standards approved by the Information Security Department.

The above policy documents the key control – establishing secure configurations – but does not specify details for any system type. Configuration standards will be different for servers, databases and mobile devices.

What is the difference between security policies and procedures?

Information security policies are very different from procedures. Information security procedures are step-by-step instructions for implementing a specific policy or control.

Sample Policy: All changes to production information systems must follow an approved Change Control Procedure.

In the above policy, the control objective is defined – to require formal change control – but the specific steps are outlined in the specific Change Control Procedure. Keeping this concepts separate allows your organization to change specific procedures without impacting the written policy.

How often should information security policies be updates?

Most regulatory frameworks such as the ISO 27002 standard require “periodic” updates of security policies Frameworks such as NIST-CSF also required updates based on any “material” change to the organization. This implies that security policies should be updated based on two specific conditions:

  1. Some time period has passed (for example, 1 year)
  2. There has been a material change to the organization

The organization can define what a “material” change would be. Examples include a merger with another company, or a major technical migration from local to cloud environments. For most organizations, annual update of information security policies is sufficient. Especially of the documents are designed properly per our points above.

Key Point: Information security policies should be updates at least once each year.

Some security policy management tools like ComplianceShield support this process be providing an audit log and policy history.

Who should approve information security policies?

Information security policies are formal representations of your information security policies, Therefore they should be approved by a senior member of management, ideally the CEO. In larger organizations the policies can be approved by a role such as the Chief Information Security Officer, a senior manager who has been delegated to be responsible for information security,

Is there a Free security policy template?

There are several fine examples of security policy templates that you can use to get started. The security policy templates from Information Shield have been created by cyber security experts and passed thousands of external audits,