Introduction
Every organization needs to have security measures and policies in place to safeguard its data.
Every organization needs to have security measures and policies in place to safeguard its data.
An information security policy brings together all of the policies, procedures, and technology that protect your company’s data in one document. This guide will help you create an Information Security Policy for your organization.
We suggest that you work with your applicable internal team to assist with development of the policy. See below for the sections you should include when creating your firm’s policy.
Please note that policies set some parameters for decision-making but leave room for flexibility. They show the “why” behind an action. Procedures, on the other hand, explain the “how.” They provide step-by-step instructions for specific routine tasks. They may even include a checklist or process steps to follow.
Key Elements
Information Security Policies typically include:
- Purpose and scope of the policy
- Roles and responsibilities for key stakeholders
- Regulatory Compliance
- Verifying and measuring Information Security
- Inventory and Classification of Assets
- Information classification and sensitivity
- Acceptable Use
- Access Controls
- Audit
- Reporting
- Incident Response
- Disaster Recovery
- Communication Security
- Human Resources Security
- Security in the Development Process
- Change Management
- Patch Management
- Physical Security
- Training
- IT Vendor Management
- Document ownership
- Policy review and approval
Developing the Policy
Purpose and Scope
Use this section to explain why an Information Security Policy is needed, systems affected and what goals the policy aims to achieve. It can be as simple as one sentence or more detailed according to the complexities of your organization. See examples below to get you started:
- Sample Intro: This Information Security Policy (“Policy”) describes the information security program and its implementation, both in corporate vision and day-to-day activities, at [Client name], including its affiliates and subsidiaries. This Policy provides high-level guidelines for the information security program at [Client name]. Further details regarding the implementation of various aspects of [Client name]’s information security program can be found in [Client name]’s information security procedures
Roles and Responsibilities
Use this section to delegate people in your organization that will be responsible for every part of the policy and their specific duties.
It is recommended that you use job titles and not names of employees (keeps the document current instead of updating each time there’s a change in staffing). Get as detailed as needed in order to cover specifics that pertain to your organization. See examples below to get you started:
Delegation Chief Information Security Officer (CISO), Chief Compliance Officer (CCO), Chief Technology Officer (CTO), internal committees, etc.
Examples of Possible Duties:
- Setting, prioritizing and managing [Client name]’s information security initiatives
- Updating [Client name]’s security policy
- Setting the information security standards for [Client name] networks and systems
- Recommending security enhancements and features for [Client name]’s products and services
- Defining and managing ongoing security auditing and testing processes
Regulatory Compliance
Use this section to define how your firm will meet its regulatory obligations as it relates to information security and all applicable regulatory rules.
It can be as simple as one sentence or more detailed according to the complexities of your organization. See examples below to get you started:
Make sure your policy includes how you plan on monitoring compliance with the stated laws and regulations. This could be addressed as simply as an Excel worksheet to track compliance or included in scope of 3rd party audit
Sample Copy. In order to effectuate those regulatory obligations, [Client name] designs and implements its information security program to meet the standards set out in the IT Examination Handbook published by the Federal Financial Institutions Examination Council (“FFIEC”). As [Client name] accesses and controls some data, including some financial data, it complies with certain information security laws and regulations, including the Gramm-Leach-Bliley Act (“GLBA”), the Dodd Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank”), and the Interagency Guidelines Establishing Information Security Standards
The Policy
Risk Mitigation
Use this section to describe what are the security measures and controls used by your organization to mitigate risk. See examples below to get you started:
- Patch management
- Access Control
- Business Continuity, etc.
Risk Assessment Methodology
Use this section to describe how your firm will verify and measure its security status.
It can be as simple as one sentence or more detailed according to the complexities of your organization. See example below to get you started:
- Sample Copy. [Client name]’s management verifies and measures its security status versus its security targets. Verification and measurement are performed by:
- Reviewing security project plans vs. actual implementation
- Analyzing the number and severity level of information security incidents compared to the previous quarter
Risk Register
Use this section to describe your risk management, tracking and reporting process. See examples below to get you started:
- Sample Copy. [Client name]’s security team maintains a risk register, which will contain the following elements:
- Current status of all significant security risks;
- Date of identification and the mitigation plan of such risks
- An expected date for mitigation of such risks
- The [Client name]’s security designee will review the risk register quarterly and periodically provide risk register reporting to the Board
Inventory and Classification of Assets
Use this section to describe what assets are being inventoried and classified.
Please state how an information asset owner is determined and what responsibilities are delegated to them. It can be as simple as one sentence or more detailed according to the complexities of your organization. See examples below to get you started:
- Sample Copy. The security team maintains a current inventory of all its assets, including hardware, software, information, and connections. Further, the security team classifies each asset
- Information Asset Owner. Each asset belonging to [Client name] is owned by an information asset owner. The owner of each information asset will be determined by the CISO. An information asset owner can be only an internal [Client name] employee. The Information Asset Owner may delegate operational aspects of his duties to an information asset operator. The CISO. must approve all changes in ownership of assets
- Include a list of duties/responsibilities of the asset owner and the asset operator
- It is recommended to create a list of all current assets to accompany the policy
Information Classification and Security
Use this section to describe the Information Classifications used by your firm along with levels of sensitivity for each classification.
It can be as simple as one sentence or more detailed according to the complexities of your organization. See examples below to get you started:
- Examples of Classifications. [Client name] Public and [Client name] Confidential
- Define each classification according to how your firm utilizes them
- Examples of Sensitivity Levels. Minimal, Medium, High
- Define each sensitivity level according to how your firm utilizes it
- Include the proper way to allow access, protect, distribute and dispose of the information described above
Acceptable Use
Use this section to reference your firm’s Acceptable Use Policy; this will be a separate policy that stipulates constraints and practices that a user must agree to for access to your corporate network.
It can be as simple as one sentence or more detailed according to the complexities of your organization. See example below to get you started:
- Sample Copy. The use of [Client name]'s network and all information assets and systems is subject to [Client name]'s acceptable use policy
- Recommended: Require the review and acknowledgment of the Acceptable Use Policy by all employees at least annually (retain documentation of acknowledgements)
Access Controls
Use this section to explain how your organization determines who has access to certain systems, data, files, etc.
It can be as simple as one sentence or more detailed according to the complexities of your organization. See examples below to get you started:
- Define categories of people who need access
- Examples: full-time, part-time, contractors, vendors, etc.
- Outline access levels for each category
- Example: Access to [Client name] information assets is restricted and will be granted to [Client name] employees and contractors in order to fulfill their duties on a need-to-use basis
- Other info to include if applicable to your firm: User Accountability, User Account Management, Segregation of Duties, User Authentication
Audit
Use this section to describe any auditing processes that your firm may have as it relates to the Information Security Policy.
It can be as simple as one sentence or more detailed according to the complexities of your organization. See example below to get you started:
- Sample Copy. [Client name] performs an annual review of the Information Security Policy, security procedures and the company's compliance with these documents. This review outlines potential problems, proposed changes, and improvements
Reporting
Use this section to show how a potential information security incident can be reported within your organization and the procedure for investigating the incident.
It can be as simple as one sentence or more detailed according to the complexities of your organization. See example below to get you started:
- Sample Copy. Each security-related event that is detected by any [Client name] employee or system is reported to the relevant information asset owner and to the CISO. The CISO compiles quarterly reports of information security activity and information security events and presents them to the Information Security Committee when it convenes
- Include a description of the reporting and monitoring of internal compliance with this policy’s statements to a governing body such as the InfoSec Committee, Leadership Team, Board of Directors, etc.
Incident Response
Use this section to explain how your company will identify and recover from cybersecurity threats, and how you will respond to reported incidents.
You can include all your relevant processes that have to do with incident response here, or to reference your Incident Response Policy and accompanying procedures. this typically includes:
- Detecting Events. Explain how your organization identifies and detects potential threats to information security. Provide specific details pertaining to your organization.
- Sample Copy. [Client name] employees, business partners, or customers may detect information security events, which can be either security incidents or system/service weaknesses and vulnerabilities. It is mandatory to report any information security events immediately to the CTO, who leads the [Client name]'s Incident Response Team. The [Client name] Incident Response Team will log the event promptly upon receiving the report and assign it a unique event number. The log will contain the following information: Detection Time, Notification Origin (whether it is from a [Client name] employee, customer, or other), and a brief description of the event
- Roles and Responsibilities. Use this section to name those people in your organization who will be responsible for every part of the policy. It is recommended that you use job titles and not names of employees (keep the document current instead of updating each time there’s a change in staffing). Get as detailed as needed in order to cover specifics that pertain to your organization
- Stakeholders key to the success of an Incident Response Policy. Chief Information Security Officer (CISO), Chief Compliance Officer (CCO), Chief Technology Officer (CTO), Incident Response Team, Security Team
- Responding to Events. Use this section to explain how your organization plans to handle or respond to threats, breaches, and other types of events. Get as detailed as needed in order to cover specifics that pertain to your organization
- Sample Copy. Immediately upon receiving a report of an information security event or weakness, the [Client name] Incident Response Team shall assess and categorize the event
- Include possible categories in a chart and detail how each category would be handled including a list of which categories (events) are priority or have the most critical impact. Examples of categories: Incidents, Vulnerabilities, Events, and Unknowns
- Explain exactly what the response plan is for each category. For example: run reports, investigate, confirm affected systems, activity considered necessary to contain and recover, corrective actions, communication internally and externally, reports/notifications to regulators, vendors, etc.
- Include a plan for a data breach (a data breach is an event that involves customer data, including personally identifiable information (“PII”).
- Documentation & Tracking. Use this section to explain how your organization will document, track and retain information pertaining to an incident. Get as detailed as needed in order to cover specifics that pertain to your organization. See the example below to get you started:
- Provide a list of what documents need to be retained
- Where will they be retained, including the pathway to location
- Establish folder structures and naming conventions for ease of access for auditing purposes
- It’s also helpful to have a post-mortem meeting with key stakeholders to discuss the effectiveness of the procedures
Disaster Recovery
Use this section to describe how your firm will operate in case of a disaster.
It can be relatively short or more detailed according to the complexities of your organization. See the information you should consider including:
- Risk Assessment. Identify potential risks and threats that could affect the organization's operations. This includes natural disasters (like floods, earthquakes), human-made incidents (such as cyberattacks, data breaches), and other disruptions
- Backup Strategy. mention how often backups are made, where they’re stored, and how data integrity is ensured
- Response Plan. Outline specific steps to be taken immediately after a disaster occurs. Define roles and responsibilities for employees, establish communication protocols, and designate an emergency response team
- Recovery Strategies. Detail strategies for restoring systems, data, and operations. This includes prioritizing critical systems, and setting recovery time objectives (RTOs), and recovery point objectives (RPOs)
- Testing and Training. Define periodical tests of the disaster recovery plan to ensure its effectiveness
Communication Security
Use this section to describe how your firm’s networking system works, and the controls that you have in place to keep it secure.
It can be as simple as one sentence or more detailed according to the complexities of your organization. See example below to get you started:
- Information to consider including. perimeter protection, network segregation and segmentation, limited access by external entities, remote access, communication over external channels
- Avoid using product names so you don’t have to update the policy if you decide to change a solution
Human Resources Security
Use this section to describe your firm’s Human Resources’ procedures as it relates to Information Security.
It can be as simple as one sentence or more detailed according to the complexities of your organization. See example below to get you started:
- Information to consider including. Background checks; signing non-disclosure agreements, Security Policy and the Acceptable Use Policy; termination and revoking employee’s access to key systems
- Consider developing an employee onboarding/offboarding process, you can point to that process in your policy
Security in the Development Process
Use this section to describe how and in which stages your firm includes security aspects in procedures, development, etc.
It can be as simple as one sentence or more detailed according to the complexities of your organization. See examples below to get you started:
- Sample Copy. Information Security aspects are considered in every phase of the development lifecycle, from the initial design and up to the final testing. "Development to Production" processes are performed according to the "Implementation Controls" procedure
- Reference any applicable policies and/or procedures
- The “Implementation Controls” procedure is an ideal location to include process details on 1) Change control management within the SDLC process (including any required peer reviews before pushing to PROD), 2) Source code versioning control measures, 3) Dependency monitoring services used, 4) Any sort of API security and/or secure code testing measures
Change Management
Use this section to describe how your firm handles change management as it relates to information security.
It can be as simple as one sentence or more detailed according to the complexities of your organization. See examples below to get you started:
- Sample Copy. [Client name]'s services and networking environment are dynamic to support the changing needs of its customers and the ever-growing requirement for capacity and performance. Changes to [Client name]'s services or networking environment (excluding regular patching and updating processes) might require security clearance from the CISO. This process is described in the "Change Control" procedure
- Reference any applicable policies and/or procedures
Patch Management
Use this section to describe how your firm handles patch implementations. It can be as simple as one sentence or more detailed according to the complexities of your organization. See examples below to get you started:
- Sample Copy. [Client name] follows a patch management process that identifies the availability of software patches, evaluates those patches against the threat and network environment, prioritizes which patches to apply across classes of computers and applications, and documents clear timelines for addressing vulnerabilities based on severity. This process is described in the “Patch Management” procedure
- Reference any applicable policies and/or procedures
Physical Security
Use this section to describe how your firm handles physical security (offices, branches, etc.).
It can be as simple as one sentence or more detailed according to the complexities of your organization. See examples below to get you started:
- Sample Copy. The physical security of [Client name]'s corporate offices and data centers is crucial for maintaining the overall security level required by [Client name]. [Client name]'s employees and subcontractors in all offices are subject to [Client name]'s physical security requirements, set in [Client name]'s "Physical Security" procedure
- Reference any applicable policies and/or procedures
Training
Use this section to describe how your firm handles security related training for employees, etc.
It can be as simple as one sentence or more detailed according to the complexities of your organization. See example below to get you started:
- Sample Copy. Each employee receives an information security briefing upon commencing work at [Client name]. The CISO provides [Client name] employees with security awareness materials and training on an annual basis
- Reference any applicable policies and/or procedures
- Recommended: Develop a “Security Awareness Training Program”
IT Vendor Management
Use this section to describe how your firm will handle third-party relationships as it relates to Information Security.
It can be as simple as one sentence or more detailed according to the complexities of your organization. See examples below to get you started:
- Sample Copy. [Client name] handles third-party Information Technology and Information Security vendors in accordance with its Vendor Assessment procedure. All third-parties that handle or have access to [Client name] high sensitivity information must be subject to contractual requirements obligating them to maintain the same high level of information security standards that [Client name] employs
- Reference to your Vendor Management Policy and accompanying procedures
- Be sure to define responsibility and assign criticality ratings to each vendor you partner with, and maintain documented reviews of the critical/high rated vendors. This could be a part of your Vendor Management Policy already, if so, make a reference to that policy in this section as well
Document Ownership
Use this section to define who in the organization will have ownership of the Information Security Policy. See example below to get you started:
- Sample Copy. The CISO is the owner of this document and is responsible for ensuring that this procedure is reviewed in line with [Client name]’s review requirements
Policy Review & Approval
Use this section to explain how your organization will structure a regular review of the Information Security Policy so it stays current. See examples below to get you started:
- Determine a cadence for review of the policy for updates (at least annually is a suggested minimum)
- Keep an audit trail of policy changes and approvals
- Establish a testing program to test the effectiveness of your policy (in the event you don’t have any incidents but want to ensure the policy is “working”)