Management, compliance & auditing

Information Security Policies

Ryan Mazerik
April 16, 2014 by
Ryan Mazerik

Organisations are giving more priority to development of information security policies, as protecting their assets is one of the prominent things that needs to be considered. Lack of clarity in InfoSec policies can lead to catastrophic damages which cannot be recovered. So an organisation makes different strategies in implementing a security policy successfully. An information security policy provides management direction and support for information security across the organisation.

Information in an organisation will be both electronic and hard copy, and this information needs to be secured properly against the consequences of breaches of confidentiality, integrity and availability. Proper security measures need to be implemented to control and secure information from unauthorised changes, deletions and disclosures. To find the level of security measures that need to be applied, a risk assessment is mandatory.

Security policies are intended to define what is expected from employees within an organisation with respect to information systems. The objective is to guide or control the use of systems to reduce the risk to information assets. It also gives the staff who are dealing with information systems an acceptable use policy, explaining what is allowed and what not. Security policies of all companies are not same, but the key motive behind them is to protect assets. Security policies are tailored to the specific mission goals. Now let's walk on to the process of implementing security policies in an organisation for the first time.

Get Management Support

The crucial component for the success of writing an information security policy is gaining management support. Management will study the need of information security policies and assign a budget to implement security policies. Time, money, and resource mobilization are some factors that are discussed in this level. It is the role of the presenter to make the management understand the benefits and gains achieved through implementing these security policies.

Write Policies

Now we need to know our information systems and write policies accordingly. Whenever information security policies are developed, a security analyst will copy the policies from another organisation, with a few differences. Ideally it should be the case that an analyst will research and write policies specific to the organisation. This will increase the knowledge of how our infrastructure is structured, internal traffic flow, point of contact for different IT infrastructures, etc. Security policies need to be properly documented, as a good understandable security policy is very easy to implement. It should also be available to individuals responsible for implementing the policies.

So while writing policies, it is obligatory to know the exact requirements. We also need to consider all the regulations that are applicable to the industry, like (GLBA,ISO 27001,SOX,HIPAA). Management also need to be aware of the penalties that one should pay if any non-conformities are found out.

A policy should contain:

  • Overview - Background information of what issue the policy addresses.
  • Purpose - Why the policy is created.
  • Scope - To what areas this policy covers.
  • Targeted Audience - Tells to whom the policy is applicable.
  • Policy - A good description of the policy.
  • Definitions - A brief introduction of the technical jargon used inside the policy.
  • Version - A version number to control the changes made to the document.

Implement policies

Once the information security policy is written to cover the rules, all employees should adhere to it while sending email, accessing VOIP, browsing the Internet, and accessing confidential data in a system. These policies need to be implemented across the organisation, however IT assets that impact our business the most need to be considered first. By implementing security policies, an organisation will get greater outputs at a lower cost. Policies can be enforced by implementing security controls.


Once the security policy is implemented, it will be a part of day-to-day business activities. Security policies that are implemented need to be reviewed whenever there is an organizational change. Policies can be monitored by depending on any monitoring solutions like SIEM and the violation of security policies can be seriously dealt with. There should also be a mechanism to report any violations to the policy. Employees often fear to raise violations directly, but a proper mechanism will bring problems to stakeholders immediately rather than when it is too late.

It is also mandatory to update the policy based upon the environmental changes that an organization goes into when it progresses. The policy updates also need to be communicated with all employees as well as the person who authorised to monitor policy violations, as they may flag for some scenarios which have been ignored by the organisation. Management is responsible for establishing controls and should regularly review the status of controls. Below is a list of some of the security policies that an organisation may have:

Access Control Policy How information is accessed

Contingency Planning Policy How availability of data is made online 24/7

Data Classification Policy How data are classified

Change Control Policy How changes are made to directories or the file server

Wireless Policy How wireless infrastructure devices need to be configured

Incident Response Policy How incidents are reported and investigated

Termination of Access Policy How employees are terminated

Backup Policy How data are backed up

Virus Policy How virus infections need to be dealt with

Retention Policy How data can be stored

Physical Access Policy How access to the physical area is obtained

Security Awareness Policy How security awareness are carried out

Audit Trail Policy How audit trails are analysed

Firewall Policy How firewalls are named, configured etc

Network Security Policy How network systems can be secured

Encryption Policy How datas are encryped, the encryption method used, etc.

While developing these policies it is obligatory to make them as simple as possible, because complex policies are less secure than simple systems. Security policies can be modified at a later time; that is not to say that you can create a violent policy now and a perfect policy can be developed some time later.

Acceptable usage policy

Acceptable usage policy (AUP) is the policies that one should adhere to while accessing the network. Some of the assets that these policies cover are mobile, wireless, desktop, laptop and tablet computers, email, servers, Internet, etc. For each asset we need to look at how we can protect it, manage it, who is authorised to use and administer the asset, what are the accepted methods of communication in these assets, etc.

A template for AUP is published in SANS and a security analyst will get an idea of how an AUP actually looks. Some of the regulatory compliances mandate that a user should accept the AUP before getting access to network devices. Implementing these controls makes the organisation a bit more risk-free, even though it is very costly. A few are:

  • The PCI Data Security Standard (PCIDSS)
  • The Health Insurance Portability and Accountability Act (HIPAA)
  • The Sarbanes-Oxley Act (SOX)
  • The ISO family of security standards
  • The Graham-Leach-Bliley Act (GLBA)

Once a reasonable security policy has been developed, an engineer has to look at the country's laws, which should be incorporated in security policies. One example is the use of encryption to create a secure channel between two entities. Some encryption algorithms and their levels (128,192) will not be allowed by the government for a standard use. Legal experts need to be consulted if you want to know what level of encryption is allowed in an area. This would become a challenge if security policies are derived for a big organisation spread across the globe.


Security policies can be developed easily depending on how big your organisation is. But the challenge is how to implement these policies by saving time and money. If a good security policy is derived and implemented, then the organisation's management can relax and enter into a world which is risk-free.

Ryan Mazerik
Ryan Mazerik

Ryan has over 10yrs of experience in information security specifically in penetration testing and vulnerability assessment. He used to train and mentor consultants of these offerings to expand security delivery capabilities.He has strong passion in researching security vulnerabilities and taking sessions on information security concepts.