Management, compliance & auditing

Information Security Policy For SME

Chintan Gurjar
March 27, 2014 by
Chintan Gurjar

Information security (IS) is a critical part of any small scale company and a big enterprise, and a challenge for any firm. Information security involves very confidential, important assets and other business process. It also includes private financial documents and other information of each and every employee within the organization. In some cases, information may also include a client's important assets. Without having proper security of all this information, it becomes unreliable. A lack of proper security mechanisms can also sometimes make the information inaccessible when it is really needed. Lack of security can also invite third parties in to compromise these private assets and information. Information has two types.

  1. Electronic Information
  2. Paper form of information

It is a must for any organization to protect this information.

General checklist of IS policy is as below:

  • Information must be accessible by authorized individuals or the group only.
  • In the corporate world, information should be managed and processed securely.
  • The company should demonstrate the best practices in information security within the company.
  • The company should also try to educate their clients to explain the critical risk of using their software in improper form, defined by the company only.
  • Waste information (Digital or Paper form) should be disposed of appropriately.
    • If it is digital information, then it should be deleted permanently from the system.
    • If it is a paper form of information, then it should be burned 'til the end.
  • Information delivery should be done in a proper and secure way. It should be carried only by a trusted environment and medium.
  • Information integrity, confidentiality and availability should be maintained properly.
  • Any personal confidential information never should be left unsecured.
  • Each and every employee of the enterprise should be allocated an ID badge to wear, and this rule must be followed strictly.
  • Desktop and other essential hardware should be locked up when they are not in the use.
  • Clarity should be taken by each and every individual within the organization of responsibility of safe IS practice.

This is the ideal policy which includes the important line written in ISO 27001, the international standard for information security. It says that the CIA triangle should be maintained.


This policy can be applied to the staff of an enterprise, their professionals, their volunteers, clients, etc. The purpose of this policy is to protect the high standard information assets, including an individual's private information, as well as client and company's confidential information. It should be protected from the potential internal as well as external threats.

There are some policies which are globally defined by many private and public sector organizations. These policies can be helpful to any organization according to their different roles.

  • Information Governance Policy – General information processing, storing and harvesting policy.
  • Data Protection Policy – works with digital and paper form of data. It mainly focuses on the security of the data.
  • Information Incident Management and Report Procedures – works when something has already happened to an organization, and describes how to recover from that incident and the procedure to call the law enforcement agencies as well as external investigation agencies to find the root cause of the incident.
  • Life Cycle Policy & Record Management – works with the information and all the records of information; how it should be processed, stored and harvested. But this one is different than the information governance policy. The main difference is that this policy works with records and logs only.

Process of Information Security Policy

This policy is helpful in order to achieve a consistent approach for the information security for the organization.

  • Maintain confidentiality of any enterprise's information. It aims to create limited access, which means access to the information should be managed strictly as per the company protocols.
  • Ensure that the integrity of the organization's information should be accurate and trustworthy.
  • Also ensure the availability of the information should be maintained easily. Data should be available when it is needed.

Physical Security of Private Information

It is the staff's responsibility to maintain physical security of the organization. Personal as well as non-personal information protection is must.

Staff security starts with the recruitment of the staff, assigning and monitoring their job roles in an everyday duty log record. Even staff itself should accept the complete responsibility for information assets which are given to them. They should let their higher authorities know about the necessary precautions in order to avoid the loss or damage to their particular information. Information must not be left publicly. If any staff member finds any breach or some suspicious incident, then he/she should report immediately to the higher authorities who can conduct or setup the internal or external audit in order to find the root cause of the breach.

All employees within the organization must wear their ID cards strictly. To transfer private data from one place to another, or to transfer confidential data from one place to another, portable devices with some encryption levels should be used. If there are checkpoints within your journey of transporting confidential data from one point to another, then at each checkpoint, the employers who are not continuing their journey should hand over all the keys and other equipment which will likely to be used to decrypt those levels of encryption and to open the door for re-access to the private data.

Security Against Unauthorized Access & Data Breaches

Information within the organization must be protected from malicious software. Each and every employer must not install any third party software in the organization without first asking their higher authorities. Even for a small period of time when you are processing data, it must be kept secure. It is the staff's responsibility for this.

Not only should information be protected, but also Internet, email services, remote working facilities and other portable devices must be also protected. In a nutshell, hardware and software devices which come under the IT infrastructure must be protected. The multilevel encryption method should be used for bulk information processing or transferring.

Risk Management

Any security measures should be clearly viewed as essential against potential risks in order to reduce the impact of disaster. Some disasters occur by mistake, and some are legitimate disasters occurred by an attacker or third parties.

Threat: Something which can damage the enterprise.

Impact: Something which will occur after a threat occurs in any organization.

Disposal of Information

Hardware assets must be disposed of very carefully and up to the mark. No hardware should be left in such a way that it can be repaired, even partially. Disposing hardware assets may include removable computer tapes, disks, etc. All storage devices should be purged of very sensitive information before disposal happens.

Printed information must be destroyed by shredding or burning. That is the best way for disposing paper information.


Mandatory online training should be placed within an enterprise. All the permanent and contract-based staff must complete this training within the initial weeks of their employment. Some additional training should be required for managers, team leaders and higher authorities. This should be repeated regularly either on a monthly basis or yearly basis.

Compliance Monitoring & Auditing

There are plenty of methods for auditing and monitoring compliance.

  • Reporting incidents and issues on regular basis.
  • Analyzing major upward and downward trends in enterprise and reporting these incidents.
  • Reporting all progress reports.
  • Reporting about improvement plans for information security policy.
  • Communicating regularly with all team leaders and higher authorities in order to discuss current issues which are being faced and any necessary counter measures.
  • Additional steps should be taken in identifying the gaps within the enterprise. Gaps can be a network gap, communication gap or anything else as well.
  • Aolicy should be put on the intranet of their network and all the managers and team leaders should ensure that they teach the best practices of their application to the relevant users or employees.


This is the overview of the ideal information security policy which can be implemented by any small-medium enterprise. It is certainly not a best practice, however, these are basic, easy steps to follow, monitor and implement. These basic steps are helpful for any organization to prevent disaster within.

Chintan Gurjar
Chintan Gurjar

Chintan Gurjar is a System Security Analyst and researcher from London working in Lucideus Tech Pvt Ltd. He has written articles for Europe based magazine namely “Hakin9”, "PentestMag" and India based magazine “Hacker5”. He has done a valuable research in cryptography overhead mechanism. Chintan Gurjar has completed B.Tech in computer science from India and currently pursuing his post graduate degree in computer security & forensics from London (UK). During his academics, he has submitted a small scale research paper on Cryptography Overhead Mechanism in IPsec Protocol. He has also submitted Network Security Auditing and Network services administration and management report. He is very keen to spread cyber awareness world wide. In future he would like to work for his Country’s government in a forensics investigation field.