Information Security Policy | Best Practices

strongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen

If you're pursuing SOC 2, it’s easy to suffer from documentation fatigue. It may feel like every little thing you do with your systems and data has to have a policy written about it (and there’s probably some truth to that). In this post we will discuss why the information security policy exists and who is responsible for executing and enforcing it.

These policies all tie back to the information security policy, which in many ways is the cornerstone of your security program. It answers many of the big questions people may ask, such as why your company is becoming so structured and process-focused on everything related to security.

However, as crucial as this policy is, it’s important to keep it high level. Here are some key points your information security policy should include:

Why the Information Security Policy exists

This is your opportunity to make a brief, impactful statement about how critical your team’s work is, and that ultimately your mission is to protect the confidentiality, integrity, and availability of the organization’s information and information systems. Express that the information security policy, standards and supporting processes and procedures are designed to:

  • Support the implementation of information technology security best practices
  • Provide value to the way we conduct business
  • Support our organizational objectives
  • Serve to minimize risk to our organization
  • Allow for compliance with relevant legal, regulatory and access control requirements

Who is responsible for executing and enforcing the policy

The information security policy should state that executive management will demonstrate leadership and commitment for the security program by:

  • Supporting the program with the necessary staff and funding
  • Ensuring the program is aligned with the organization’s strategic objectives
  • Enforcing violations of policy, security controls, and non-compliance when necessary

Having this verbiage in your information security policy gives it a backbone, and sends a message to the rest of the organization that security will be taken seriously. It also clarifies that these security initiatives have the full support of the management team, and are not things the IT security department are doing to make everybody’s lives difficult.

Key terms and definitions

Not everyone in your organization will be familiar with IT and security lingo, so your information security policy and security requirements should define key terms in simple language. Here are a few examples of common information security policy terms:

Information - the communication or representation of knowledge in any form, be it electronic (digital assets), physical or verbal

Information Security - the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction - in order to provide confidentiality, integrity, and availability

User - any individual (or a process acting on behalf of an individual) with access to an information system such as employees, contractors or suppliers

A brief outline of other vital policies

It is also helpful if your information security policy provides a summary of your organization’s other policies. For example:

Application Security Policy - addresses the organization’s secure development practices and controls to prevent unauthorized access or modification of the system, as well as information coded and/or stored

Cyber Risk Assessment Report - this report details the organization’s vulnerabilities, the details on existing security controls to address the vulnerabilities, and recommendations to address any issues

Data Retention Policy - defines the organization’s data management practices, including the types of data that are retained and maintained - and for what length of time

Data Center Security Policy - details the administrative, technical and physical controls employed in the organization’s datacenter environment

Encryption Policy - outlines the encryption technologies used to help secure organization data

Password Policy - describes a set of rules the organization uses to employ strong passwords and use them properly

Remote Access Policy - details the acceptable methods for connecting to the internal network from a remote location

Removable Media/Cloud Storage/BYOD Policy - lays out the organization’s approved device and storage types, as well as guidance for properly using each type

Security Incident Response Policy - establishes that your organization has the controls in place to detect security incidents and resolve them

Workstation Security Policy - provides direction on the appropriate measures that must be taken to ensure the confidentiality, integrity, and availability of information on workstations

Software Development Lifecycle Policy - outlines the company’s position regarding in-house software development

Disaster Recovery Policy - details the controls the organization has in place to minimize the impact of significant events, as well as recover from them

As critical as the information security policy is, keep it as simple as possible. Use it to give readers a high-level overview of your security program and how it is endorsed and supported by management. Also, share a general outline of what the rest of your policy structure looks like, but save the details for the individual policies themselves.


About the Author

, Security Engineer / Podcaster, is the president of 7 Minute Security, an information security consultancy in the Minneapolis area. Brian spends most of his days helping companies defend their networks.

Since 2004, Brian has also run the blog/podcast called 7 Minute Security, where he shares what he has learned about information security into short, 7-minute chunks.

logo
💙 this post?
Then get all that strongDM goodness, right in your inbox.

You May Also Like

Automating access to cloud environments
Managing Access to Ephemeral Infrastructure At Scale
Managing a static fleet of strongDM servers is dead simple. You create the server in the strongDM console, place the public key file on the box, and it’s done! This scales really well for small deployments, but as your fleet grows, the burden of manual tasks grows with it.
Illustration of an technical employee who is offboarding from their employer.
All Offboard! The 2022 Tech Staff Offboarding Checklist
Offboarding technical employees can be a complex and arduous process with a lot of moving parts. The key to successful offboarding is to have a clear understanding of what needs to be done, who does it, and how to monitor for any shenanigans from former employees.
User Provisioning: How To Automate & Manage Credentials
How We Automate User Provisioning & Keep Track of Credentials
There are a number of ways to automate user provisioning but the real challenge lies in keeping track of those credentials.
SOC 2 dashboard
What Would My SOC 2 Dashboard Look Like?
As your organization pursues your SOC 2 certification, organization is critical. ‍You will be busy actively managing dozens of ongoing daily tasks, which can bury you in minutiae. But at the same time, you need to keep your high-level compliance goals in focus in order to successfully move your certification over the finish line.
SOC 2 Audit
Everything You Need to Know About SOC 2 Audits
Whether you’re looking to achieve SOC 2 compliance, or just want to learn more about it, your Googling is bound to lead you to a wealth of articles chock full of buzzwords and acronym soup. ‍In this post, we will provide a guide with definitions, links and resources to gain a solid understanding of everything you need to know about SOC 2 audits.