- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
If you're pursuing SOC 2, it’s easy to suffer from documentation fatigue. It may feel like every little thing you do with your systems and data has to have a policy written about it (and there’s probably some truth to that). In this post we will discuss why the information security policy exists and who is responsible for executing and enforcing it.
These policies all tie back to the information security policy, which in many ways is the cornerstone of your security program. It answers many of the big questions people may ask, such as why your company is becoming so structured and process-focused on everything related to security.
However, as crucial as this policy is, it’s important to keep it high level. Here are some key points your information security policy should include:
Why the Information Security Policy exists
This is your opportunity to make a brief, impactful statement about how critical your team’s work is, and that ultimately your mission is to protect the confidentiality, integrity, and availability of the organization’s information and information systems. Express that the information security policy, standards and supporting processes and procedures are designed to:
- Support the implementation of information technology security best practices
- Provide value to the way we conduct business
- Support our organizational objectives
- Serve to minimize risk to our organization
- Allow for compliance with relevant legal, regulatory and access control requirements
Who is responsible for executing and enforcing the policy
The information security policy should state that executive management will demonstrate leadership and commitment for the security program by:
- Supporting the program with the necessary staff and funding
- Ensuring the program is aligned with the organization’s strategic objectives
- Enforcing violations of policy, security controls, and non-compliance when necessary
Having this verbiage in your information security policy gives it a backbone, and sends a message to the rest of the organization that security will be taken seriously. It also clarifies that these security initiatives have the full support of the management team, and are not things the IT security department are doing to make everybody’s lives difficult.
Key terms and definitions
Not everyone in your organization will be familiar with IT and security lingo, so your information security policy and security requirements should define key terms in simple language. Here are a few examples of common information security policy terms:
Information - the communication or representation of knowledge in any form, be it electronic (digital assets), physical or verbal
Information Security - the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction - in order to provide confidentiality, integrity, and availability
User - any individual (or a process acting on behalf of an individual) with access to an information system such as employees, contractors or suppliers
A brief outline of other vital policies
It is also helpful if your information security policy provides a summary of your organization’s other policies. For example:
Application Security Policy - addresses the organization’s secure development practices and controls to prevent unauthorized access or modification of the system, as well as information coded and/or stored
Cyber Risk Assessment Report - this report details the organization’s vulnerabilities, the details on existing security controls to address the vulnerabilities, and recommendations to address any issues
Data Retention Policy - defines the organization’s data management practices, including the types of data that are retained and maintained - and for what length of time
Data Center Security Policy - details the administrative, technical and physical controls employed in the organization’s datacenter environment
Encryption Policy - outlines the encryption technologies used to help secure organization data
Password Policy - describes a set of rules the organization uses to employ strong passwords and use them properly
Remote Access Policy - details the acceptable methods for connecting to the internal network from a remote location
Removable Media/Cloud Storage/BYOD Policy - lays out the organization’s approved device and storage types, as well as guidance for properly using each type
Security Incident Response Policy - establishes that your organization has the controls in place to detect security incidents and resolve them
Workstation Security Policy - provides direction on the appropriate measures that must be taken to ensure the confidentiality, integrity, and availability of information on workstations
Software Development Lifecycle Policy - outlines the company’s position regarding in-house software development
Disaster Recovery Policy - details the controls the organization has in place to minimize the impact of significant events, as well as recover from them
As critical as the information security policy is, keep it as simple as possible. Use it to give readers a high-level overview of your security program and how it is endorsed and supported by management. Also, share a general outline of what the rest of your policy structure looks like, but save the details for the individual policies themselves.
About the Author
Brian Johnson, Security Engineer / Podcaster, is the president of 7 Minute Security, an information security consultancy in the Minneapolis area. Brian spends most of his days helping companies defend their networks.
Since 2004, Brian has also run the blog/podcast called 7 Minute Security, where he shares what he has learned about information security into short, 7-minute chunks.