Information Security Policy: But Why?

Information Security Policy- But Why
Why do you need an information security policy

Information Security Policy: But Why?

Just reading the word “POLICY” may inspire a wince! It represents the “how to” and “what to do” for specific individuals or groups. Understandably, receiving instructions on what to do or how to do it doesn’t appeal to everyone, right? However, in the realm of asset protection, policies prove themselves crucial. Given that Information stands as a pivotal asset, we must actively protect and control it. This includes managing its access, usage, modification, communication, and even destruction.

What is an Information Security Policy?

It is the ‘how to’, ‘what to do’, and even ‘what NOT to do’ for information within an environment.  The policy:

  • Defines the information that will be protected.
  • Communicate and define the protection measures in use.
  • Defines the controls needed to access, use, modify, communicate, and destroy
  • Establish guidelines for implementing the controls (Think Procedures!)
  • Communicates the controls used to manage information
  • Identifies the consequences of non-compliance

Yikes.  An Information Security Policy seems even more daunting than just saying ‘policy’ but isn’t as complicated as it first appears.

Who needs one?

Arguably, everyone.  If resources need management and protection, an Information Security Policy is necessary.  But is it that complicated?  Maybe not.

At Home, does everyone in the household know:

  • Who has keys or access to your house? Who is allowed?  How is access controlled or granted?
  • Who controls access to your wireless network?
  • The “Parental Controls” on app download or purchases?
  • Consequences of ‘surfing’ inappropriate’ sites, or outside of set hours of operation?

Normal household rules may disguise elements of an Information Security Policy, as the examples above demonstrate. Although we seldom document the repercussions of breaking these rules at home, their consequences remain very real, well-known, and enforced, even though we rarely write them down. While “Go ask Mom,” “Dad said no,” or “You’re grounded” might work effectively within a household, organizations might not find these approaches as effective for management and enforcement.

In an organization, it is fundamentally the same as management within a household but requires more standardized definition and documentation.  In an organization, the risk to information resources is greater, and realistically, one cannot manage behavior with just normal household rules.  A documented and communicated Information Security Policy is crucial to the control and management of resources to mitigate the greater risk.  Information protections might include, but would not be limited to:

  • Identify critical resources for users, and manage and control how users gain access to these resources.
  • Outlining what is allowable, and not allowable by users with company-owned devices
  • Clearly defined consequences of non-compliance or inaction.

For an organization, an Information Security Policy must be succinct.   It is essential to communicate the rules of engagement surrounding protection.  It protects the organization, its information, and its users.


It’s important.  REALLY important.

An Information Security policy is the key to a good security program, allowing users to understand information is a valuable resource.  This takes the guesswork out of security management by setting standards, defining behavior expectations, and documenting procedures, to meet the accepted level of security risks to information within an environment.

At home or in any organization, the definition, communication, and enforcement of an Information Security Policy, improves the safety and security of the critical mass

About CIT

CIT Careers

Rooted in Minnesota with innovators nationwide, we’re tech problem-solvers & solution providers. From cybersecurity to support engineers, we’re powered by passion & precision, aiming to transform adversity into advancement. Together, let’s redefine the digital horizon.

Get in contact: email us at or call 651.255.5780

Copyright: © 2024. All Rights Reserved.

CIT is designated autism-friendly by autism speaks