Management, compliance & auditing

Key elements of an information security policy

Dimitar Kostadinov
July 20, 2020 by
Dimitar Kostadinov

An information security policy is a set of rules enacted by an organization to ensure that all users of networks or the IT structure within the organization’s domain abide by the prescriptions regarding the security of data stored digitally within the boundaries the organization stretches its authority.

An information security policy governs the protection of information, which is one of the many assets a corporation needs to protect. We will discuss some of the most important aspects a person should take into account when contemplating developing an information security policy.

Thinking logically, one would say that a policy should be as broad as the creators want it to be: basically, everything from A to Z in terms of IT security. For that reason, we will be emphasizing a few key elements. However, you should note that organizations have liberty of thought when creating their own guidelines.

Elements of an information security policy

1. Purpose

Institutions create information security policies for a variety of reasons:

  • To establish a general approach to information security
  • To detect and forestall the compromise of information security such as misuse of data, networks, computer systems and applications.
  • To protect the reputation of the company with respect to its ethical and legal responsibilities
  • To observe the rights of the customers. Providing effective mechanisms for responding to complaints and queries concerning real or perceived non-compliances with the policy is one way to achieve this objective

2. Scope

An information security policy should address all data, programs, systems, facilities, other tech infrastructure, users of technology and third parties in a given organization, without exception.

3. Information security objectives

An organization that strives to compose a working information security policy needs to have well-defined objectives concerning security and strategy. Management must agree on these objectives: any existing disagreements in this context may render the whole project dysfunctional. 

The most important thing that a security professional should remember is that his knowledge of the security management practices would allow him to incorporate them into the documents he is entrusted to draft. That is a guarantee for completeness, quality and workability.

Simplification of policy language is one thing that may smooth away the differences and guarantee consensus among management staff. Ambiguous expressions are to be avoided, and authors should take care to use the correct meaning of terms or common words. For instance, “musts” express negotiability, whereas “shoulds” denote a certain level of discretion. I

Ideally, the policy’s writing must be brief and to the point. Redundant wording makes documents long-winded or even illegible, and having too many extraneous details may make it difficult to achieve full compliance. 

How management views IT security is one of the first steps when a person intends to enforce new rules in this department. A security professional should make sure that the information security policy is considered to be as important as other policies enacted within the corporation. In cases where an organization has a very large structure, policies may differ and therefore be segregated in order to define the dealings in the intended subset of this organization.

Information security is considered as safeguarding three main objectives:

  • Confidentiality: Data and information assets must be confined to people who have authorized access and not disclosed to others
  • Integrity: Keeping the data intact, complete and accurate, and IT systems operational
  • Availability: An objective indicating that information or system is at disposal of authorized users when needed.

Donn Parker, one of the pioneers in the field of IT security, expanded this threefold paradigm by suggesting additional objectives: “authenticity” and “utility”.

4. Authorization and access control policy

Typically, a security policy has a hierarchical pattern. Junior staff is usually required not to share the little amount of information they have unless explicitly authorized. Conversely, a senior manager may have enough authority to make a decision about what data can be shared and with whom, which means that they are not tied down by the same information security policy terms. This means that the information security policy should address every basic position in the organization with specifications that will clarify their authorization.

Policy refinement takes place at the same time as defining the administrative control or authority people in the organization have. Essentially, it is a hierarchy-based delegation of control in which one may have authority over his own work, a project manager has authority over project files belonging to a group he is appointed to and the system administrator has authority solely over system files. 

A user may have the need-to-know for a particular type of information. Therefore, data must have enough granularity to allow the appropriate authorized access and no more. This is all about finding the delicate balance between permitting access to those who need to use the data as part of their job and denying such to unauthorized entities.

Access to the company’s network and servers should be via unique logins that require authentication in the form of either passwords, biometrics, ID cards or tokens etc. Monitoring on all systems must be implemented to record login attempts (both successful ones and failures) and the exact date and time of logon and logoff.

As the IT security program matures, the policy may need updating. While doing so will not necessarily guarantee an improvement in security, it is nevertheless a sensible recommendation.

5. Classification of data

Data can have different values. Gradations in the value index may impose separation and specific handling regimes/procedures for each kind. An information classification system will therefore help with the protection of data that has a significant importance for the organization and leave out insignificant information that would otherwise overburden the organization’s resources. 

A data classification policy may arrange the entire set of information as follows:

  1. High Risk class: Data protected by state and federal legislation (the Data Protection Act, HIPAA, FERPA) as well as financial, payroll and personnel (privacy requirements) are included here
  2. Confidential Class: The data in this class does not enjoy the privilege of being protected by law, but the data owner judges that it should be protected against unauthorized disclosure
  3. Public class: This information can be freely distributed

Data owners should determine both the data classification and the exact measures a data custodian needs to take to preserve the integrity in accordance to that level.

6. Data support and operations

In this part, we could find clauses that stipulate:

  • The regulation of general system mechanisms responsible for data protection
  • The data backup
  • Movement of data

7. Security awareness sessions

Sharing IT security policies with staff is a critical step. Making them read and acknowledge a document does not necessarily mean that they are familiar with and understand the new policies. On the other hand, a training session would engage employees and ensure they understand the procedures and mechanisms in place to protect the data. 

Such an awareness training session should touch on a broad scope of vital topics: how to collect/use/delete data, maintain data quality, records management, confidentiality, privacy, appropriate utilization of IT systems, correct usage social networking and so on. A small test at the end is perhaps a good idea.

8. Responsibilities, rights and duties of personnel

Things to consider in this area generally focus on the responsibility of persons appointed to carry out the implementation, education, incident response, user access reviews and periodic updates of an information security policy.

Prevention of theft, information know-how and industrial secrets that could benefit competitors are among the most cited reasons as to why a business may want to employ an information security policy to defend its digital assets and intellectual rights.

9. References to relevant legislation

There are a number of different pieces of legislation which will or may affect the organization’s security procedures. For example, in the UK, a list of relevant legislation would include:

  • The Computer Misuse Act (1990)
  • The Data Protection Act (1998)
  • The Data Protection (Processing of Sensitive Personal Data) Order (2000)
  • The Copyright, Designs and Patents Act (1988)
  • The Computer Misuse Act (1990)
  • The Human Rights Act (1998)

10. Other items that an information security policy may include

An information security policy may also include a number of different items. These include, but are not limited to: virus protection procedure, intrusion detection procedure, incident response, remote work procedure, technical guidelines, audit, employee requirements, consequences for non-compliance, disciplinary actions, terminated employees, physical security of IT, references to supporting documents and more.

Conclusion: The importance of information security policy

Many organizations simply choose to download IT policy samples from a website and copy/paste this ready-made material. This is a careless attempt to readjust their objectives and policy goals to fit a standard, too-broad shape. But one size doesn’t fit all, and being careless with an information security policy is dangerous.

A high-grade information security policy can make the difference between a growing business and an unsuccessful one. Improved efficiency, increased productivity, clarity of the objectives each entity has, understanding what IT and data should be secured and why, identifying the type and levels of security required and defining the applicable information security best practices are enough reasons to back up this statement. If you want to lead a prosperous company in today’s digital era, you certainly need to have a good information security policy.


  1. How to write an information security policy, InsiderPro
  2. Information Classification Standard, The London School of Economics and Political Science
  3. How to create a good information security policy,
  4. SophosLabs Information Security Policy, Sophos
  5. Information Security Policy, Techopedia
Dimitar Kostadinov
Dimitar Kostadinov

Dimitar Kostadinov applied for a 6-year Master’s program in Bulgarian and European Law at the University of Ruse, and was enrolled in 2002 following high school. He obtained a Master degree in 2009. From 2008-2012, Dimitar held a job as data entry & research for the American company Law Seminars International and its Bulgarian-Slovenian business partner DATA LAB. In 2011, he was admitted Law and Politics of International Security to Vrije Universiteit Amsterdam, the Netherlands, graduating in August of 2012. Dimitar also holds an LL.M. diploma in Intellectual Property Rights & ICT Law from KU Leuven (Brussels, Belgium). Besides legal studies, he is particularly interested in Internet of Things, Big Data, privacy & data protection, electronic contracts, electronic business, electronic media, telecoms, and cybercrime. Dimitar attended the 6th Annual Internet of Things European summit organized by Forum Europe in Brussels.