How to Write an Information Security Policy

An Information Security Policy is the cornerstone of an Information Security Program. It should reflect the organization's objectives for security and the agreed upon management strategy for securing information.

1 2 Page 2
Page 2 of 2

4. Placement of the policy in the context of other management directives and supplementary documents (e.g., is agreed by all at executive level, all other information handling documents must be consistent with it)

5. References to supporting documents (e.g. roles and responsibilities, process, technology standards, procedures, guidelines)

6. Specific instruction on well-established organization-wide security mandates (e.g. all access to any computer system requires identity verification and authentication, no sharing of individual authentication mechanisms)

7. Specific designation of well-established responsibilities (e.g. the technology department is the sole provider of telecommunications lines)

8. Consequences for non-compliance (e.g. up to and including dismissal or termination of contract)

This list of items will suffice for information security policy completeness with respect to current industry best practice as long as accountability for prescribing specific security measures is established within the "supplementary documents" and "responsibilities" section. While items 6 and 7 may contain a large variety of other agreed-upon details with respect to security measures, it is ok to keep them to a minimum to maintain policy readability, and rely on sub-policies or supporting documents to include the requirements. Again, it is more important to have complete compliance at the policy level than to have the policy include a lot of detail.

Note that the policy production process itself is something that necessarily exists outside of the policy document itself. Documentation with respect to policy approvals, updates, and version control should also be carefully preserved and available in the event that the policy production process itself is audited.

Jennifer Bayuk is an information security consultant and former CISO. She has written or co-edited several books including Enterprise Information Security and Privacy, Stepping Through the IS Audit, 2nd Edition, Stepping Through the InfoSec Program, and a forthcoming work on Security Leadership.

This story, "How to Write an Information Security Policy" was originally published by CSO.

Copyright © 2009 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 secrets of successful remote IT teams