An information security policy is the foundation of an enterprise security program, ideally establishing in clear language what the organization expects from its security operations based on both its tolerance for risk and on its regulatory obligations.
Yet security advisers say many organizations fail to give adequate attention to writing and maintaining strong information security policies, instead filling in blanks on generic templates and filing them away.
“It’s too often seen [by enterprise leaders] as an exercise to do, so that they can just check the box as done,” says John Pescatore, director of emerging security trends for SANS Institute, a research and education organization focused on information security.
On the other hand, organizations that tailor the information security policy to their own needs and circumstances based on enterprise risk, risk tolerance, regulatory requirements and desired best practices and who opt to actively manage their policy with scheduled reviews and updates when needed create a strong basis for their entire security program. As a result, they’re better positioned to achieve the security posture they seek.
Here are answers to seven common questions about information security policies.
An information security policy is a high-level view of what should be done within a company in regard to information security.
“It’s the baseline that executives use to define what is secure enough for their company,” says Bryce Austin, CEO of the cybersecurity consulting firm TCE Strategy and the author of the book Secure Enough: 20 Questions on Cybersecurity for Business Owners and Executives.
Austin compares it to a charter, explaining that it’s not “supposed to solve all the problems, it’s to declare the problems you’ll take on and to provide guidance on how seriously you take them.”
Government regulations as well as certain business standards, such as those set by the Payment Card Industry Data Security Standard (PCI DSS), specifically require organizations to develop an information security policy as well as other types of security-related programs.
A policy, however, is more than a compliance requirement. It is a tool that alerts the organization on the security risks they face and guides them on how they should counter them and to what degree. It also informs people as to what actions are acceptable, which are not and what measures, rules and restrictions need to be in place to ensure security.
“If you’re going to manage the entire company from the perceptive of security, the policy is the best tool to do that,” says Richard Stiennon, chief research analyst at IT-Harvest and author of Security Yearbook 2020.
The policy also can remove, or at least reduce, inconsistencies in an organization’s approach to security by documenting what’s expected, what’s prohibited, and who has responsibility for what pieces of the security program.
“The importance there is to easily communicate your program and what is appropriate and what is not,” says Andrew Dutton, a virtual CISO with DuHart Consulting.
As such, CISOs and their security teams as well as compliance, risk and legal leaders can point to the information within the policy when explaining security-related needs to business units that might be trying to push back on certain procedures or processes put in place to meet the policy objectives.
Additionally, the policy can be used to guide an organization’s responses to clients or partners who might ask for proof of adequate security efforts before doing business together.
The CISO typically leads the development of and updates to a security policy, but the CISO should also work with executives from finance, physical security, legal, human resources and a least one business unit to form a committee or working group to collaboratively craft an up-to-date policy.
“The CISO owns responsibility for the policy, but buy-in has to happen from the rest of the executive team,” says Brian Haugli, a partner and co-founder of SideChannel, a strategic cybersecurity consulting and advisory firm.
The team should start with a risk assessment to determine the organization’s vulnerabilities and areas of concern, from the potential for a data breach to the chances of a wide-scale system outage. They should assess how those potential incidents would impact the confidentiality, integrity and availability of data and systems. The team also needs to understand the organization’s tolerance for the various risks, outlining which concerns rank as low risk and which would jeopardize the organization’s survival. Then the team should consider the regulatory requirements it must meet.
From there, the CISO should articulate what level of security is required for the identified vulnerabilities and areas of concern, matching the required level of protection with the organization’s risk tolerance so that areas where there’s the lowest tolerance for risk get the highest levels of security.
Security experts advise CISOs and their teams to use frameworks, such as the ISO/IEC 27001 standards for information security management systems, to ensure they’re addressing all relevant elements.
Although security leaders recommend each organization develop its own unique policy, they also agree that all policies should contain language addressing various fundamental components that are universal.
Given that, they say all policies should detail the organization’s security objective, the policy’s scope of coverage, asset classification, asset management, access controls, password management, data classification, acceptable use, antivirus and patch management and even physical security.
Dutton says some organizations may also want to include statements around remote access, mobile devices, vendor management and cloud security. Others advise CISO to detail the regulatory requirements that the organization must meet, the information security management structure and which responsibilities belong to which positions.
Security leaders also recommend that CISOs aim to craft a policy that’s concise and clearly written. “I find people tend to get overly complicated with the IS policy; it is a charter that should be kept as simple as it can whenever possible,” Austin says.
Austin says information security policies should not include detailed descriptions on how the organization will achieve all the objectives presented in the policy. The policies shouldn’t have technical components, either.
“It’s not supposed to tell you how to implement all this,” Haugli adds.
Details on how the organization will meet the information security policy’s objectives can be found in various sub-policies, standards, guidelines and processes. “That’s where you’re making decisions around certain components of the security policy,” Haugli explains.
For example, the information security policy may establish that encryption is required for all data classified as sensitive or confidential, but a separate document provides details on the encryption standards to be met.
“When I think about an information security policy, I think of it as a global one where I talk about the risk tolerance of the company and the frameworks the company will follow, the very high-level stuff that the CEO needs to worry about,” Austin says. “But when we get into issues like the password policy, the CEO doesn’t need to know the minimum characters in a password. That requirement does need to exist, just not in the [master] policy. Similarly, we need to know, for example, what ports can be open to the internet or what encryption technology do we use. Those should be found in the technical specifications that support the information security policy.”
According to Dutton, other topics that may be broken out and detailed in supporting documents include cybersecurity strategy, backup restoration, disaster recovery, business continuity, incident response, data stewardship/data loss prevention and insider threats.
Some regulations require annual reviews of the information security policy, but security experts say the rapid pace of technology advances and the ever-evolving threat landscape necessitate more frequent reviews and updates of the supporting standards, guidelines, processes and procedures — in addition to the master policy itself. “It’s not a once-a-year activity; it’s continuous,” says Roger Hale, CISO-in-Residence at YL Ventures.
Experts acknowledge that it’s unreasonable to expect an organization to perform a full-scale risk assessment more than once a year — in fact, some already struggle to do that on an annual basis — but organizations should be prepared to update these documents as new laws come into effect or regulatory requirements get tweaked or as new threats emerge.
Pescatore advises CISOs to have a process in place, perhaps an information security policy committee review process, to determine whether changing circumstances necessitate updates to the information security policy or any of the supporting guidelines, processes, procedures or standards.