From Wikipedia, the free encyclopedia
Information security policies are a special type of documented business rule for protecting information and the systems which store and process the information. Information security policies are usually documented in one or more information security policy documents. Within an organization, these written policy documents provide a high-level description of the various controls the organization will use to protect information.
Written information security policy documents are also a formal declaration of management's intent to protect information, and are required for compliance with various security and privacy regulations. Organizations that require audits of their internal systems for compliance with various regulations will often use information security policies as the reference for the audit.
Developing Information Security Policies
Proper development of information security policies requires careful planning. While information security policies are usually developed by one group, such as the information security department, policy development requires the input of all major business units within the organization. The policy development process has five major steps:
1. Assemble the policy development team - The team can include both primary and secondary members. Primary members will be the persons who write the policies, and should include at least one information security specialist and ideally a technical writer to help produce documents that are easy to read and understand. Secondary team members will help build requirements, review and approve documents. Ideal secondary team members include representatives from legal, human resources (HR), information technology (IT) and various business units.
2. Gather Requirements - Decide which topics will be covered within your policy documents. Use the results of your organizational risk assessment to determine which parts of the organization are at greatest risk.
3. Write Draft Policy Documents - Create draft policy documents for each major policy topic you will address. Be sure to use consistent style and formatting between documents.
4. Review and approve draft policy documents - Send each document for review to members of the review team. Ideally, team members should commit to reviewing each document within a definted time period.
5. Formally publish written documents - Once each document has been formally approved, they can be published to the organization. Official publication of these documents should be sanctioned with the support of a high-level executive within the organization, preferable the CEO or CIO.
Resources
The following resources will help in development and deployment of information security policies:
The SANS Security Policy Project provides a set of sample information security policy documents.
Information Security Policies the complete RUsecure security policy definition document.
Information Security Roles and Responsibilities Made Easy by Charles Cresson Wood provides advice for building a proper information security organization, including sample security-related job descriptions.