What is information security policy and what is the difference of security policy from security standards, procedures, baselines and guidelines?
Information security policy is a high-level statement that defines how an organization will classify and protect its valuable assets. Information security professionals and managers with support from senior management are responsible to develop information security policy and strategies as per the business requirements of the organization. However, senior management is ultimately responsible for approving the statements of the information security policy. And information security policy enforcement is the responsibility of chief information security officer (CISO), who is herself or himself member of senior management. Furthermore, at its minimum, information security policy should directly reflect the mission, objectives, strategies, roadmap and goals of the overall organization
Board of directors (BoD) and senior management is responsible to ensure that information security policy is in alignment with business objectives. And the security policy is established in line with the core information security principles namely confidentiality, integrity and availability (CIA) objectives.
Most people think that policy is similar to organizational standards, procedures, guidelines and baselines. Even though these security policy is related to these security documents, there are slight differences that every information security professional should know.
- Policy: the high-level statements of senior management intent, expectations and direction. This document is considered the constitution of an organization
- Standard: defines mandatory requirements for the usage of hardware, software, technology and security controls or boundaries. While policies are the constitutions of an organization, standards are subordinate laws that are driven from the policy
- Procedures: a detailed and step-by-step document that defines the actions necessary to implement security controls, technologies and products.
- Baseline: defines the minimum level of information security that every system throughout the organization must meet and comply
- Guideline: provides recommendations on how the standards and baselines are implemented and serves as an operational reference
The purposes of information security policy may include the following, but not limited to:
- Establish a repeatable and consistent processes and approaches to manage information security
- Educate workforce personnel best information security practices and corporate security standards
- Document controls to ensure personnel adherence to security measures
- Meet critical legal, regulatory and compliance requirements, such as GDPR, HIPAA, PCI DSS
- Develop guidelines to detect new security threats and mitigate emerging risks
- Build customer reputation through maintaining organizational security posture
- Protect customer data
- Ensure appropriate access controls
- Respond to incidents and disasters appropriately
- Enforce data retention requirements
- More
Core elements that information security policy should have include the following:
- Information security objectives
- Purpose
- Audience (technical people or top management)
- Authority and access control policy
- Data classification scheme
- Data support and operations
- Security awareness training
- Personnel responsibilities and roles
- Incident response procedures
- More
Some common information security policies may incorporate:
- Data backup policy
- Encryption policy
- Password policy
- Network security policy
- Acceptable use policy (AUP)
- Change management policy
- Email policy
- Remote access policy
- Privacy policy
- So much more