Writing Effective Information Security Policies

Writing Effective Information Security Policies
Writing effective information security policy is more than just laying down a set of rules and procedures; it’s a process unto itself, whose goal is to create a dynamic instrument that will protect a financial institution’s most precious asset - information.

Fortunately, resources exist to assist chief information security officers in formulating effective policy, such as Information Security Governance: Guidance for Boards of Directors and Executive Management, 2nd Edition, published in 2006 by the IT Governance Institute and available for free download at www.itgi.org.

The guidance includes actions that boards and executive management can take to ensure effective information security governance. It includes five positive outcomes of a successful information security program: information security is aligned with business strategy to support the business; risks are managed to reduce impacts on information; resources are managed by using information security knowledge and infrastructure effectively and efficiently; information security governance metrics are used to measure, monitor and report progress; information security investments deliver value to the business.

Information security policy is the focal point for establishing and conveying security requirements. It sets the tone for the information security practices within an organization, defining appropriate behavior and setting the stage for the security program. A consistently applied policy development framework exists that guides formulation, rollout, understanding and compliance.

Senior management is responsible for establishing and enforcing a formal, written information security policy including standards, procedures, guidelines and rules of use.

A good policy document includes the overall importance of security within the organization, identifies what is being protected, identifies key risks and mechanisms for dealing with those risks and provides for ongoing and regular monitoring and feedback to ensure the polices are enacted and enforced. Regular updates are needed to reflect changing business needs and practices. The policy enumerates the roles and responsibilities of all information systems users for protecting the confidentiality, availability and integrity of information assets. It must set out management’s objectives and expectations for information security in clear, unambiguous terms, along with the implications of noncompliance. Its existence also demonstrates management’s commitment to information security. To ensure ongoing applicability and relevance, the policy statement needs to be reviewed and updated on an annual basis. Failure to update may demonstrate a lack of management commitment to information security, or the general lack of processes to manage organizational governance.

The policy clearly states overall objectives and requirements for information security, scope (organization units, information assets), roles and responsibilities for each relevant party (e.g., asset owners, users, trustees), and any possible conditions for exceptions. The information security policy framework serves to support more extensive statements of information security standards, practices and procedures.

Rather than viewing information security policy as a single document, it will help to view the policy as a three-part suite—the policy document, the standards document, and the procedures document, writes Mark Ungerman, director of product management at Symantec Corp., in a white paper.

The information security policy document details why a corporation needs a policy in the first place. The standards document outlines what will be done to ensure security of information and assets. Finally, the procedures document becomes the how-to portion, showing the methodology in achieving the set standards.

The information security policy itself provides a brief overview of the organization’s philosophy regarding security, writes Ungerman. Usually only around two pages long, the policy is the shortest of the three documents, but it is critically important in setting the stage for the other two documents. “The framework for the entire suite of documents rests in the policy’s ability to define to whom and what the policy applies, provide a general description, illustrate the need for adherence, and detail the consequences for nonadherence,” says Ungerman.

The information security policy also details the consequences of noncompliance in regards to government regulations and standards. Once complete, the information security policy should be reviewed, approved, and signed by the most senior manager in the organization.

The information security standards document considers what needs to be done to implement security measures. This document covers the physical, administrative, and technical controls designed to secure information assets. It is important that in detailing security controls, end-user productivity is considered. Controls should be designed to maximize both information protection and employee efficiency. Much like the policy document, the information security standards document will unlikely be altered. Only the introduction of new systems, applications, or regulations would require amendments to this document.

The final piece of the security suite—the information security procedures document— takes the controls outlined in the standards document and shows how each control will be implemented and managed. Since the implementation of any of these items may require several procedures and tasks, each of these steps must be approached and listed. Since the business environment is continually changing, this document will similarly undergo frequent changes to match the corporation’s security needs.

About the Author

Andrew Miller

Andrew Miller

Contributing Writer, ISMG

Andrew Miller is a freelance writer specializing in financial services and information technology. He holds an MBA from Columbia University and a Master's in computer science from Rensselaer Polytechnic Institute. He has held jobs at CMP Media, MetLife, and Gartner.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.