Filed under: IT Services

September 16, 2021


The Information Security Policy (IS Policy) is the most important security document of an organization. Ideally, it should serve as the guiding principle of an organization’s information security, providing structure and vision to ensure the organization can achieve its mission, while keeping its data safe.

The IS Policy requires a mature process to ensure its objectives are met. This article will cover the steps to creating one for your own organization.

Click here to download a more in-depth version of this piece, with a template for you to reference when building your own IS Policy.

Step 1: The Policy Statements

The IS Policy typically begins with the Policy Statements, which are declarations based on good, strategic principles. These establish “why” the IS Policy exists and “what” it hopes to achieve.

The “what” depends on each organization. An e-commerce company may emphasize that “all” users are responsible for protecting passwords. But a not-for-profit organization with volunteers may not even use passwords; this would later drive a much different “how” to achieve security. (The “how” are called “Procedures” and are outside the scope of a Policy Statement.)

The following are common Policy Statements:

  1. All users are responsible for protecting the organization’s confidential information from unauthorized access.
  2. All users are responsible for protecting their passwords and other access credentials from unauthorized use.
  3. Access to confidential information must be authorized with valid business purposes.
  4. Access to a confidential system requires training in protecting such information.
  5. Users of confidential information must be accurately, individually, and uniquely identified.

Step 2: Data Classification

The next element of an IS Policy is Data Classification.

Data Classification is the most tactical, relevant, and pragmatic approach in building the IS Policy. Not all information is equal and, thus, does not require an equal level of security effort. Resources should be prioritized to the most sensitive information of an organization. It is therefore critical to establish guidance on prioritization.

The prioritization is often laid out in a Data Classification table, which resembles the following example:

Classification TypeClassification LevelExamples
Information intended and released for public use.Level 1: Public Press releases, annual reports, published research, published marketing materials.
Low-Risk Confidential Information that can be shared within the organization.Level 2: Internal OnlyIntranet portals, department policies and procedures, training materials, work papers, building maps/layouts.
Medium Risk Confidential Information intended only for those with a “business need to know.”Level 3: ConfidentialPersonnel records, IT source code, non-public financial records/statements, budget information, technical diagrams/architecture, donor information.
High-Risk Confidential Information that requires strict controls.Level 4: RestrictedPersonally Identifiable Information (PII), passwords/PIN details, private encryption keys, trade secrets, SSN, credit card numbers.
Reserved for Research Data or Data Use AgreementLevel 5: Top SecretResearch data, formulas, or other information directly related to the ongoing nature of an organization.

Step 3: Mapping Policy Statements, Classification, and Requirements and Standards

Once the Policy Statements and the prioritization based on Data Classification have been established, the next step is to develop Requirements. This is where many organizations will have varying security practices.

For example, an e-commerce company with a policy that “all” users must protect their passwords may require the use of an encrypted password vaulting system. However, this may not be a requirement for a not-for-profit organization with volunteers that do not need login credentials (in order to optimize security spending). Therefore, it’s important to map the Requirements and Standards to the Policy Statements and Data Classification as it explains the “why” such Requirements exist. This will lead to better security adoption and alignment within an organization.

The following is an example:

Policy StatementClassification LevelRequirements and Related Standards
1. All users are responsible for protecting the organization’s confidential information from unauthorized access.Level 1: Public N/A
Level 2: Internal OnlyFor users (employees, temporary workers, and contractors):
• All devices connected to the network must meet the “Data Protection Requirements.”

• All users must meet appliable password requirements. See “Password Standard.”

For Information Technology:
• People responsible for the operation of technology must have the skills, experience, and training. See the “HR Competency Framework.”
Level 3: ConfidentialIn addition to Level 2 –

For users (employees, temporary workers, and contractors):
• All users handling personally identifiable information must comply with the organization’s “PII Protection Standards.”

• All devices connected to the network must meet the “Data Protection Requirements.”

For Information Technology:
• All devices must be configured to securely store, process, transmit, archive, and dispose of data. See “Data Encryption Standard.”

• All devices must be protected against access when data is disposed of. See “Data Retention Policy.”
Level 4: Restricted
Level 5: Top Secret

Many organizations already have documented standards, such as password standards or email standards. While it’s best to include the actual standards (e.g., number of characters, complexity, etc.,) in the table above, it may be a stylistic choice to document them in separate requirements or standards, such as in the example table above.

Step 4: Linking to Other Policies

In the next phase, consider including links in your IS Policy to the other policies and standards. The following are examples that should be considered at a minimum. Their importance cannot be stressed enough.

  • Incident Detection and Response Policy: All organizational members are responsible for detecting issues that could be symptoms of a security breach. This could be phishing emails or slow background processes on a laptop. It is critical to build incident logging processes (e.g., IT helpdesk), but it is even more critical to build a process to triage incidents to find patterns of a security attack. Then, an organization must understand how to respond.
  • Business Continuity and Disaster Recovery Policy: In case of a disaster, such as a security attack, it’s important to understand how to launch backup processes and initiate recovery procedures. This is often referred to as the BCP/DR Plan.
  • Data Retention Policy: For a variety of business or regulatory reasons, sensitive information is normally backed up and retained. It’s essential to secure backed-up data from any breaches.

Step 5: IS Policy Review and Communication

Once the IS Policy is documented, it should be maintained, reviewed, and monitored periodically. This process is often annual, but this depends on your organization. Typical reviewers include those ultimately accountable for the security of an organization, such as the CEO or the COO. The IS Policy should explicitly state who the reviewers are, and when the review occurred. Certain regulations, such as GDPR, require that a privacy officer is also identified and listed.

Once reviewed, the IS Policy should be communicated throughout the entire organization. A very common tactic is to require annual training on the IS Policy, in addition to getting trained on security threats. The IS Policy should also be easily accessible, such as making it available on the intranet. Some organizations take it a step further and disclose consequences for IS Policy violation, but this depends on the culture and other factors of each organization.

In Conclusion

The IS policy is a vital document that charts the course for an organization’s information security. A strong IS policy will lay out an organization’s security philosophy and follow through with the steps employees must take to accomplish the goal of information security.

If you have questions on establishing an IS policy, please send me an email.

Follow this link for a more in-depth look into the IS Policy and for a template you can follow while building your own.

©2021 Clark Nuber PS. All rights reserved.

This article contains general information only and should not be construed as accounting, business, financial, investment, legal, tax, or other professional advice or services. Before making any decision or taking any action, you should engage a qualified professional advisor.