Information Security Policy: But Why?

The word POLICY alone inspires a wince just reading it!  A policy is the ‘how to’ and “what to do’, for specific individuals or groups.  No one likes being told what to do or how to do it, right?   When it comes to protecting assets, a policy is critical.  Since Information IS an asset, information must be protected and controlled. More specifically, how it is accessed, used, changed, communicated, and even destroyed.

What is an Information Security Policy?

An Information Security Policy is the ‘how to’, ‘what to do’, and even ‘what NOT to do’ for information within an environment.  The policy:

• Defines what information is going to be protected
• Defines and communicates the protection measures that will be used
• Defines the controls needed to access, use, modify, communicate and destroy
• Sets guidelines on how the controls are implemented (Think Procedures!)
• Communicates the controls used to manage information
• Identifies the consequences of non-compliance

Yikes.  An Information Security Policy seems even more daunting than just saying ‘policy’ but isn’t as complicated as it first appears.

Who needs an Information Security Policy?

Arguably, everyone and anyone with information resources.  If information resources need management and protection, an Information Security Policy is necessary.  But is it that complicated?  Maybe not.

At Home, does everyone in the household know:

• Who has keys or access to your house? Who is allowed?  How is access controlled or granted?
• Who controls access to your wireless network?
• The “Parental Controls” on app download or purchases?
• Consequences of ‘surfing’ inappropriate’ sites, or outside of set hours of operation?

Elements of an Information Security Policy may be disguised as normal rules in a household (above) like the examples above.  Repercussions of going outside rules at home are typically never documented, but very real. Consequences are known and enforced, and likely not written down anywhere.  While effective within a household, “Go ask Mom”, “Dad said no” or “You’re grounded” aren’t necessarily effective management and enforcement in an organization.

In an organization, it is fundamentally the same as management within a household but requires more standardized definition and documentation.  The risk to information resources is greater in an organization, and realistically, behavior in an organization can’t be managed with just normal household rules.  A documented and communicated Information Security Policy is crucial to the control and management of information resources to mitigate the greater risk.  Information protections might include, but would not be limited to:

• Identifying critical resources to users, and how access to the resources is gained and managed
• Outlining what is allowable, and not allowable by users with company-owned devices
• Clearly defined consequences of non-compliance or inaction.

For an organization, an Information Security Policy must be succinct.   It is essential to communicate the rules of engagement, surrounding information protection.  It protects the organization, its information, and its users.

Why?

It’s important.  REALLY important.

An Information Security policy is the key to a good security program, allowing users to understand information is a valuable resource.  An Information Security Policy takes the guesswork out of security management by setting standards, defining behavior expectations, and documenting procedures, to meet the accepted level of security risks to information within an environment.

At home or in any organization, the definition, communication, and enforcement of an Information Security Policy, improves the safety and security of the critical mass