Skip to main content

Introduction

Every organization needs to have security measures and policies in place to safeguard its data.

An information security policy brings together all of the policies, procedures, and technology that protect your company’s data in one document. This guide will help you create an Information Security Policy for your organization. We suggest that you work with your applicable internal team to assist with development of the policy. See below for the sections you should include when creating your firm’s policy. 

Please note that policies set some parameters for decision-making but leave room for flexibility. They show the “why” behind an action. Procedures, on the other hand, explain the “how.” They provide step-by-step instructions for specific routine tasks. They may even include a checklist or process steps to follow.

Key Elements #

Information Security Policies typically include:

  • Purpose and scope of the policy
  • Roles and responsibilities for key stakeholders
  • Verifying and measuring Information Security
  • Information assets
  • Information classification and sensitivity
  • Acceptable Use
  • Access Controls
  • Audit Process
  • Reporting
  • Incident Response
  • Communication Security
  • Human Resources Security
  • Security in the Development Process
  • Change Management
  • Patch Management
  • Physical Security
  • Regulatory Compliance
  • Training
  • IT Vendor Management
  • Document ownership
  • Policy review and approval

Developing the Policy#

Purpose and Scope #

Use this section to explain why an Information Security Policy is needed, systems affected and what goals the policy aims to achieve. It can be as simple as one sentence or more detailed according to the complexities of your organization. See examples below to get you started:

  • Sample Intro: This document outlines CLIENT’S Information Security Policy. This policy describes CLIENT NAME management's view of information security and its implementation in both corporate vision and day-to-day activities of the company.  The security policy provides the high-level guidelines for practicing information security in CLIENT NAME. Further details regarding the implementation of various information security aspects can be found in CLIENT's information security procedures. This security policy relates to CLIENT's activities worldwide.  The policy refers to all offices, systems, networks and data resources operated and managed by CLIENT NAME.
  • Bulleted list of goals for the policy

Roles and Responsibilities #

Use this section to delegate people in your organization that will be responsible for every part of the policy and their specific duties.

It is recommended that you use job titles and not names of employees (keeps the document current instead of updating each time there’s a change in staffing). Get as detailed as needed in order to cover specifics that pertain to your organization. See examples below to get you started:

  • Delegation Possibilities: Chief Information Security Officer (CISO), Chief Compliance Officer (CCO), Chief Technology Officer (CTO), internal committees

  • Examples of Possible Duties:

    • Setting, prioritizing and managing CLIENT's information security initiatives.
    • Updating CLIENT's security policy.
    • Setting the information security standards for CLIENT networks and systems
    • Recommending security enhancements and features for CLIENT's products and services.
    • Defining and managing ongoing security auditing and testing processes.

Verifying and Measuring Information Security#

Use this section to describe how your firm will verify and measure its security status.

It can be as simple as one sentence or more detailed according to the complexities of your organization. See example below to get you started:

  • Sample Copy: CLIENT’s management verifies and measures its security status versus its security targets. Verification and measurement are performed by:

    • Reviewing security project plans vs. actual implementation
    • Analyzing the number and severity level of information security incidents compared to the previous quarter.

Information Asset Owners#

Use this section to define what an information asset owner is and what responsibilities are delegated to them.

It can be as simple as one sentence or more detailed according to the complexities of your organization. See examples below to get you started:

  • Sample Copy: Each and every information asset belonging to CLIENT is owned by an information asset owner. The owner of each information asset will be determined by the CISO. An information asset owner can be only an internal CLIENT employee. The Information Asset Owner may delegate operational aspects of his duties.  
  • Include a list of duties/responsibilities
  • Recommend creating a list of all current assets to accompany the policy

Information Classification and Sensitivity#

Use this section to describe the Information Classifications used by your firm along with levels of sensitivity for each classification. 

It can be as simple as one sentence or more detailed according to the complexities of your organization. See examples below to get you started:

  • Examples of Classifications: CLIENT Public and CLIENT Confidential
  • Define each classification according to how your firm utilizes them
  • Examples of Sensitivity Levels: Minimal, Medium, High
  • Define each sensitivity level  according to how your firm utilizes them
  • Include the proper way to allow access, protect, distribute and dispose of the information described above

Acceptable Use#

Use this section to reference your firm’s Acceptable Use Policy; this will be a separate policy that stipulates constraints and practices that a user must agree to for access to a corporate network.

It can be as simple as one sentence or more detailed according to the complexities of your organization.  See example below to get you started:

  • Sample Copy: The use of CLIENT's network and all information assets and systems is subject to CLIENT's acceptable use policy.
  • Recommend requiring the Acceptable Use Policy to be reviewed and acknowledged by all employees at least annually (retain documentation of acknowledgements).

Access Controls#

Use this section to explain how your organization determines who has access to certain systems, data, files, etc.

It can be as simple as one sentence or more detailed according to the complexities of your organization. See examples below to get you started:

  • Define categories of people who need access. Examples: full-time, part-time, contractors, vendors, etc.
  • Outline access levels for each category. Example: Access to CLIENT information assets is restricted and will be granted to CLIENT employees and contractors in order to fulfill their duties on a need-to-use basis.  
  • Other info to include if applicable to your firm: User Accountability, User Account Management, Segregation of Duties, User Authentication

Audit Process#

Use this section to describe any auditing processes that your firm may have as it relates to the Information Security Policy.  It can be as simple as one sentence or more detailed according to the complexities of your organization. See example below to get you started:

  • Sample Copy: CLIENT performs an annual review of the Information Security Policy, security procedures and the company's compliance with these documents. This review outlines potential problems, proposed changes and improvements.

Reporting#

Use this section to show how a potential information security incident can be reported within your organization and the procedure for investigating the incident.  It can be as simple as one sentence or more detailed according to the complexities of your organization. See example below to get you started:

  • Include a description on the reporting and monitoring of internal compliance with this policy’s statements to a governing body such as the InfoSec Committee, Leadership Team, Board of Directors, etc.
  • Sample Copy: Each security-related event that is detected by any CLIENT employee or system is reported to the relevant information asset owner and to the CISO. The CISO compiles quarterly reports of information security activity and information security events and presents them to the Information Security Committee when it convenes. 

Incident Response#

Use this section to describe how your firm will respond to an incident that has been reported.

It can be as simple as one sentence or more detailed according to the complexities of your organization. See examples below to get you started:

  • Reference to your Incident Response Policy and accompanying procedures
  • Sample Copy: Security incidents detected by CLIENT employees, clients or business partners shall be reported to the CTO. The CTO will act according to CLIENT's "Incident Response" procedure in classifying, handling, documenting and reporting the incident.    

Communication Security#

Use this section to describe how your firm’s networking system works and controls you have in place to keep it secure.

It can be as simple as one sentence or more detailed according to the complexities of your organization. See example below to get you started:

  • Information to consider including: perimeter protection, network segregation and segmentation, limited access by external entities, remote access, communication over external channels.
  • Avoid using product names so you don’t have to update the policy if you decide to change a solution.

Human Resources Security#

Use this section to describe your firm’s Human Resources’ procedures as it relates to Information Security.

It can be as simple as one sentence or more detailed according to the complexities of your organization. See example below to get you started.

  • Information to consider including: background checks; signing non-disclosure agreements, Security Policy and the Acceptable Use Policy; termination and revoking employee’s access to key systems
  • Consider developing an employee onboarding/offboarding process, can point to that process in your policy

Security in the Development Process#

Use this section to show how your firm plans to include strategies for security in procedures, development, etc.

It can be as simple as one sentence or more detailed according to the complexities of your organization. See examples below to get you started:

  • Reference any applicable policies and/or procedures
  • The “Implementation Controls” procedure is an ideal location to include process details on 1) change control management within the SDLC process (including any required peer reviews before pushing to PROD), 2) source code versioning control measures, 3) dependency monitoring services used, and 4) any sort of API security and/or secure code testing measures.
  • Sample Copy: Information Security aspects are considered in every phase of the development lifecycle, from the initial design and up to the final testing. "Development to Production" processes are performed according to the "Implementation Controls" procedure.

Change Management#

Use this section to describe how your firm handles change management as it relates to information security.

It can be as simple as one sentence or more detailed according to the complexities of your organization. See examples below to get you started:

  • Reference any applicable policies and/or procedures
  • Sample Copy: CLIENT's services and networking environment are dynamic, to support the changing needs of its customers and the ever-growing requirement for capacity and performance. Changes to CLIENT's services or networking environment (excluding regular patching and updating processes) might require security clearance from the CISO. This process is described in the "Change Control" procedure.

Patch Management#

Use this section to describe how your firm handles implementing a patch.

It can be as simple as one sentence or more detailed according to the complexities of your organization. See examples below to get you started:

  • Reference any applicable policies and/or procedures
  • Sample Copy: CLIENT follows a patch management process that identifies the availability of software patches, evaluates those patches against the threat and network environment, prioritizes which patches to apply across classes of computers and applications, and documents clear timelines for addressing vulnerabilities based on severity. This process is described in the “Patch Management” procedure.

Physical Security#

Use this section to describe how your firm handles physical security (offices, branches, etc.).

It can be as simple as one sentence or more detailed according to the complexities of your organization. See examples below to get you started:

  • Reference any applicable policies and/or procedures
  • Sample Copy: The physical security of CLIENT's corporate offices and data centers is crucial for maintaining the overall security level required by CLIENT. CLIENT's employees and subcontractors in all offices are subject to CLIENT's physical security requirements, set in CLIENT's "Physical Security" procedure.

Regulatory Compliance#

Use this section to define how your firm will meet its regulatory obligations as it relates to information security and all applicable regulatory rules.

It can be as simple as one sentence or more detailed according to the complexities of your organization. See examples below to get you started:

  • Make sure your policy includes how you plan on monitoring compliance with the stated laws and regulations.  This could be addressed as simply as an Excel worksheet to track compliance or included in scope of 3rd party audit.
  • Sample Copy: In order to effectuate those regulatory obligations, CLIENT NAME designs and implements its information security program to meet the standards set out in the IT Examination Handbook published by the Federal Financial Institutions Examination Council (“FFIEC”). As CLIENT NAME accesses and controls some data, including some financial data, it complies with certain information security laws and regulations, including the Gramm-Leach-Bliley Act (“GLBA”), the Dodd Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank”), and the Interagency Guidelines Establishing Information Security Standards. 

Training#

Use this section to describe how your firm handles training for employees, etc.

It can be as simple as one sentence or more detailed according to the complexities of your organization. See example below to get you started:

  • Reference any applicable policies and/or procedures.
  • Recommend developing a “Security Awareness Training Program.” 
  • A policy statement could be added to require the development and implementation of a SATP with details left to the program document.
  • Sample Copy: Each employee receives an information security briefing upon commencing work at CLIENT NAME.  The CISO provides CLIENT NAME employees with security awareness materials and training on an annual basis.

IT Vendor Management#

Use this section to describe how your firm will handle third-party relationships as it relates to Information Security.

It can be as simple as one sentence or more detailed according to the complexities of your organization. See examples below to get you started:

  • Reference to your Vendor Management Policy and accompanying procedures.
  • Be sure to define responsibility and assign criticality ratings to each vendor you partner with  and maintain documented reviews of the critical/high rated vendors. This could be a part of your Vendor Management Policy already, if so then make a reference to that policy in this section as well.
  • Sample Copy: CLIENT handles third-party Information Technology and Information Security vendors in accordance with its Vendor Assessment procedure. All third parties that handle or have access to CLIENT High Sensitivity information must be subject to contractual requirements obligating them to maintain the same high level of information security standards that CLIENT employs.  

Document Ownership#

Use this section to define who in the organization will have ownership of the Information Security Policy.

Get as detailed as needed in order to cover specifics that pertain to your organization. See example below to get you started:

  • Sample Copy: The CISO is the owner of this document and is responsible for ensuring that this procedure is reviewed in line with CLIENT’s review requirements. 

Policy Review & Approval#

Use this section to explain how your organization will structure a regular review of the Information Security Policy so it stays current.

Get as detailed as needed in order to cover specifics that pertain to your organization. See examples below to get you started:

  • Determine a cadence for review of the policy for updates (at least annually is a suggested minimum)
  • Keep an audit trail of policy changes and approvals
  • Establish a testing program to test the effectiveness of your policy (in the event you don’t have any incidents but want to ensure the policy is “working