Every organization needs to have security measures and policies in place to safeguard its data. Along with risk management plans and purchasing insurance policies, having a robust information security policy (and keeping it up-to-date) is one of the best and most important ways to protect your data, your employees, your customers, and your business.
What is an Information Security Policy?
An information security policy brings together all of the policies, procedures, and technology that protect your company’s data in one document.
According to Infosec Institute, the main purposes of an information security policy are the following:
- To establish a general approach to information security.
- To detect and forestall the compromise of information security such as misuse of data, networks, computer systems, and applications.
- To protect the reputation of the company with respect to its ethical and legal responsibilities.
- To observe the rights of the customers; providing effective mechanisms for responding to complaints and queries concerning real or perceived non-compliance with the policy is one way to achieve this objective.
Information security is a key part of many IT-focused compliance frameworks. If you’re doing business with large enterprises, healthcare customers, or government agencies, compliance is a necessity. Standards like SOC 2, HIPAA, and FEDRAMP are must-haves, and sometimes even contractually required. A detailed information security plan will put you much closer to compliance with the frameworks that make you a viable business partner for many organizations.
Are you taking an organized approach to managing cyber risks? See how you can get organized with our webinar.
Common Compliance Frameworks with Information Security Requirements
The following are some of the most common compliance frameworks that have information security requirements that your organization may benefit from being compliant with:
SOC 2 is a compliance framework that isn’t required by law but is a de facto requirement for any company that manages customer data in the cloud. SOC 2 is an auditing procedure that ensures your software manages customer data securely. Compliance with SOC 2 requires you to develop and follow strict information security requirements to maintain the integrity of your customer’s data and ensure it is protected.
HIPAA is a federally mandated security standard designed to protect personal health information. Under HIPAA, and “covered entity” (i.e., any organization providing treatment, payment, or operations in healthcare) and any of their business associates who have access to patient information have to follow a strict set of rules. HIPAA breaches can have serious consequences, including fines, lawsuits, or even criminal charges.
ISO 27001 is a security standard that lays out specific requirements for an organization’s information security management system (ISMS). ISO 27001 is noteworthy because it doesn’t just cover electronic information; it also includes guidelines for protecting information like intellectual property and trade secrets. ISO 27001 isn’t required by law, but it is widely considered to be necessary for any company handling sensitive information.
NIST SP 800-53 is a collection of hundreds of specific measures that can be used to protect an organization’s operations and data and the privacy of individuals. It provides a catalog of controls federal agencies can use to maintain the integrity, confidentiality, and security of federal information systems. It was designed for use by government agencies, but it is commonly used by businesses in other industries to help them improve their information security systems. In many cases, following NIST guidelines and recommendations will help organizations ensure compliance with other data protection regulations and standards because many frameworks use NIST as the reference framework.
PCI DSS, shorthand for Payment Card Industry Data Security Standard, is a framework that helps businesses that accept, process, store, or transmit credit card data and keep that data secure. It applies to any company that handles credit card data or cardholder information. Based on a company’s transaction volume and whether or not they store cardholder data, each business will need to comply with one of the four PCI DSS compliance levels.
What Should be in an Information Security Policy?
An information security policy can be tough to build from scratch; it needs to be robust and secure your organization from all ends. It should cover all software, hardware, physical parameters, human resources, information, and access control. It also needs to be flexible and have room for revision and updating, and, most importantly, it needs to be practical and enforceable. Wishful thinking won’t help you when you’re developing an information security policy. You need to work with the major stakeholders to develop a policy that works for your company and the employees who will be responsible for carrying out the policy.
Here are a few of the most important information security policies and guidelines for tailoring them for your organization.
Acceptable Use Policy
This policy outlines the acceptable use of computer equipment and the internet at your organization. Improper use of the internet or computers opens your company up to risks like virus attacks, compromised network systems, and services, and legal issues, so it’s important to have in writing what is and isn’t acceptable use.
An acceptable use policy should outline what employees are responsible for in regard to protecting the company’s equipment, like locking their computers when they’re away from their desk or safeguarding tablets or other electronic devices that might contain sensitive information. It should also outline what the company’s rights are and what activities are not prohibited on the company’s equipment and network.
Acceptable use policies are a best practice for HIPAA compliance because exposing a healthcare company’s system to viruses or data breaches can mean allowing access to personal and sensitive health information.
Clean Desk Policy
A clean desk policy focuses on the protection of physical assets and information. Ideally, this policy will ensure that all sensitive and confidential materials are locked away or otherwise secured when not in use or an employee leaves their desk.
This policy should establish the minimum requirements for maintaining a clean desk, such as where sensitive information about employees, intellectual property, customers, and vendors can be stored and accessed. It should also cover things like what kinds of materials need to be shredded or thrown away, whether passwords need to be used to retrieve documents from a printer, and what information or property has to be secured with a physical lock.
In addition to being a common and important part of any information security policy, a clean desk policy is ISO 27001/17799 compliant and will help your business pass a certification audit.
Data Breach Response Policy
This is also known as an incident response plan. The purpose of a data breach response policy is to establish the goals and vision for how your organization will respond to a data breach. This plan will help to mitigate the risks of being a victim of a cyber attack because it will detail how your organization plans to protect data assets throughout the incident response process.
This policy should define who it applies to and when it comes into effect, including the definition of a breach, staff roles and responsibilities, standards and metrics, reporting, remediation, and feedback mechanisms.
Disaster Recovery Plan Policy
This policy is different from a data breach response plan because it is a general contingency plan for what to do in the event of a disaster or any event that causes an extended delay of service. This policy should describe the process to recover systems, applications, and data during or after any type of disaster that causes a major outage. This disaster recovery plan should be updated on an annual basis.
The contingency plan should cover these elements:
- Emergency outreach plan. Explicitly list who needs to be contacted, when do they need to be contacted, and how will you contact them?
- Succession plan. Describe the flow of responsibility when normal staff is unavailable to perform their duties.
- Data classification plan. Detail all the data stored on all systems, its criticality, and its confidentiality.
- Criticality of service list. List all the services provided and their order of importance.
- Data backup and restoration plan. Detail which data is backed up, where, and how often. Also explain how the data can be recovered.
- Equipment replacement plan. Describe which infrastructure services are necessary to resume providing services to customers.
- Public communications. Document who will own the external PR function and provide guidelines on what information can and should be shared.
It’s important that the management team set aside time to test the disaster recovery plan. During these tests, also known as tabletop exercises, the goal is to identify issues that may not be obvious in the planning phase that could cause the plan to fail. This way, the team can adjust the plan before there is a disaster takes place.
Email is a critical communication channel for businesses of all types, and the misuse of email can pose many threats to the security of your company, whether it’s employees using email to distribute confidential information or inadvertently exposing your network to a virus. It’s important for all employees, contractors, and agents operating on behalf of your company to understand appropriate email use and to have policies and procedures laid out for archiving, flagging, and reviewing emails when necessary.
This policy needs to outline the appropriate use of company email addresses and cover things such as what types of communications are prohibited, data security standards for attachments, rules regarding email retention, and whether the company is monitoring emails.
This policy should also be clearly laid out for your employees so that they understand their responsibility in using their email addresses and the company’s responsibility to ensure emails are being used properly. This email policy isn’t about creating a “gotcha” policy to catch employees misusing their email, but to avoid a situation where employees are misusing an email because they don’t understand what is and isn’t allowed.
End-User Encryption Key Protection Policy
Certain documents and communications inside your company or distributed to your end users may need to be encrypted for security purposes. Have a policy in place for protecting those encryption keys so they aren’t disclosed or fraudulently used.
This policy should outline all the requirements for protecting encryption keys and list out the specific operational and technical controls in place to keep them safe. This includes things like tamper-resistant hardware, backup procedures, and what to do in the event an encryption key is lost, stolen, or fraudulently used.
Password Protection Policy
Your employees likely have a myriad of passwords they have to keep track of and use on a day-to-day basis, and your business should have clear, explicit standards for creating strong passwords for their computers, email accounts, electronic devices, and any point of access they have to your data or network.
This policy also needs to outline what employees can and can’t do with their passwords. It might seem obvious that they shouldn’t put their passwords in an email or share them with colleagues, but you shouldn’t assume that this is common knowledge for everyone. Give your employees all the information they need to create strong passwords and keep them safe to minimize the risk of data breaches.
Finally, this policy should outline what your developers and IT staff need to do to make sure that any applications or websites run by your company are following security precautions to keep user passwords safe.
Security Response Plan Policy
A security response plan lays out what each team or business unit needs to do in the event of some kind of security incident, such as a data breach. According to the SANS Institute, it should define, “a product description, contact information, escalation paths, expected service level agreements (SLA), severity and impact classification, and mitigation/remediation timelines.”
The key to a security response plan policy is that it helps all of the different teams integrate their efforts so that whatever security incident is happening can be mitigated as quickly as possible. While each department might have its own response plans, the security response plan policy details how they will coordinate with each other to make sure the response to a security incident is quick and thorough.
Information Security Policy Template
There are a number of reputable organizations that provide information security policy templates. For instance, the SANS Institute collaborated with a number of information security leaders and experts to develop a set of security policy templates for your use. You can get them from the SANS website.
Further, if you’re working with a security/compliance advisory firm, they may be able to provide you with security policy templates and specific guidance on how to create policies that make sense (and ensure you stay compliant with your legal obligations).
Keep in mind that templates are the starting point for developing your own policies; they must be customized to fit your organization’s processes and needs.
Information Security Policy Examples
The National Institute for Standards and Technology (NIST) Cybersecurity Framework offers a great outline for drafting policies for a comprehensive cyber security program.
The Five Functions System
The “Five Functions” system covers five pillars for a successful and holistic cyber security program. These functions are:
The organization should have an understanding of the cybersecurity risks it faces so it can prioritize its efforts.
This is about putting appropriate safeguards in place to protect data assets and limit or contain the impact of a potential cybersecurity event. This includes educating and empowering staff members within the organization to be aware of risks, establishing procedures that focus on protecting network security and assets, and potentially utilizing cyber liability insurance to protect a company financially in the event a cybercriminal is able to bypass the protections that are in place.
Outline the activities that assist in discovering the occurrence of a cyber attack and enable timely response to the event. In order to quickly and efficiently diagnose a cyber attack, companies should implement data classification, asset management, and risk management protocols that alert them when data appears to be compromised.
Document the appropriate actions that should be taken following the detection of cybersecurity threats. A company’s response should include proper and thorough communication with staff, shareholders, partners, and customers as well as with law enforcement and legal counsel as needed.
Determine how an organization can recover and restore any capabilities or services that were impaired due to a cyber attack.
Almost every security standard must include a requirement for some type of incident response plan because even the most robust information security plans and compliance programs can still fall victim to a data breach.
For more details on what needs to be in your cybersecurity incident response plan, check out this article: How to Create a Cybersecurity Incident Response Plan. Fortunately, the Center for Internet Security and the Multi-State Information Sharing & Analysis Center has provided a security policy template guide that provides correlations between the security activities recommended in the Cybersecurity Framework and applicable policy and standard templates. You can download a copy for free here.
Incorporate Security Awareness Training
With all of these policies and programs in place, the final piece of the puzzle is to ensure that your employees are trained on and understand the information security policy.
Training should start on each employee’s first day, and you should continually provide opportunities for them to revisit the policies and refresh their memory. It’s also important to find ways to ensure the training is sticking and that employees aren’t just skimming through a policy and signing a document. Interactive training or testing employees, when they’ve completed their training, will make it more likely that they will pay attention and retain information about your policies.
You should also look for ways to give your employees reminders about your policies or provide them with updates on new or changing policies. Monthly all-staff meetings and team meetings are great opportunities to review policies with employees and show them that management believes these policies are important. Making information security a part of your culture will make it that much more likely that your employees will take those policies seriously and take steps to secure data.
Technology Allows Easy Implementation of Security Policies & Procedures
While it’s critical to ensure your employees are trained on and follow your information security policy, you can implement technology that will help fill the gaps of human error.
Antivirus solutions are broad, and depending on your company’s size and industry, your needs will be unique. But at the very least, antivirus software should be able to scan your employee’s computers for malicious files and vulnerabilities. Some antivirus programs can also monitor web and email traffic, which can be helpful if employees visit sites that make their computers vulnerable.
Firewalls are a basic but vitally important security measure. They filter incoming and outgoing data and pick out malware and viruses before they make their way to a machine or into your network.
If there is an issue with an electronic resource, you want to know as soon as possible so that you can address it. Resource monitoring software can not only help you keep an eye on your electronic resources, but it can also keep logs of events and users who have interacted with those resources so that you can go back and view the events leading up to a security issue.
Software programs like Nmap and OpenVAS can pinpoint vulnerabilities in your systems and list them out for you, allowing your IT team to either shore up the vulnerabilities or monitor them to ensure that there aren’t any security events.
Password Management Software
To ensure your employees aren’t writing their passwords down or depending on their browser saving their passwords, consider implementing password management software. Remembering different passwords for different services isn’t easy, and many people go for the path of least resistance and choose the same password for multiple systems. Providing password management software can help employees keep their passwords secure and avoid security incidents because of careless password protection.
Dedicated compliance operations software can help you track all of your compliance activities, monitor your internal controls to manage cyber risk, and ensure that all controls are working consistently as they were designed –so your security team can catch control failures early and remediate vulnerabilities before you experience a data breach.
Compliance operations software like Hyperproof also provides a secure, central place to keep track of your information security policy, data breach incident response policy, and other evidence files that you’ll need to produce when regulators/auditors come knocking after a security incident. Hyperproof also helps your organization quickly implement SOC 2, ISO 27001, GDPR, and other security/privacy frameworks, and removes a significant amount of administrative overhead from compliance audits.