What’s Needed for a Successful Information Security Policy?

An Educational Paper Contribution:

Today organizations have a fighting battle to protect their information assets from external and internal threats. A security policy should be looked at as a living document always involving with the latest threats it is protecting against. Before you begin writing a policy do your research know what you are protecting whom you need to talk to and what law and regulation your policy need to enforce.

Security policies set the guidelines and structure of the organization. Having a well written policy that documents how the data and networks will be protected and what right users have on the network and applications. When incidents happen policies can direct the user with the correct steps to take. This paper gives the steps to think about when creating a policy.

  1. Be sure to define the topic..

When creating an information security policy there several things that need to be considered. 1) Will management support and enforce the policy?  2) How does information security policy affect the organization? And 3) What is the framework to have a successful policy?

Always have in your mind when writing a policy what you are trying to protect and the potential threats. The main goal of the policy is to protect, set rules and guidelines, what authorizes a person have minimized the risk, a baseline for security and tracking of compliance with regulations and legislation. There are two types of policies governing and technical. The governing policy is written at a high level for management. The enterprise information security policy is also known as governing policy.   The technical policy address the who, the what, the when and the where by describing what must be done and written for end users, technical users and management. Technical policies are also known as Issue-specific and system-specific security policies.

The policy development lifecycle can help you develop your step in developing your own policies there are 15 steps to follow 1) Senior Management commitment 2) work with legal and HR to set a compliance grace period. 3) Determine, who needs to be involved in writing the policy 4, ) If there is existing policy review to see if still compliance 5) Do research on security policies by searching the internet, talking to other security professionals, reading books and Whitepapers 6) have a good understanding about the organizational needs and what is being protected before Interviewing the SMEs to get the correct information 7) Write the initial draft to see how it is accepted by management and users. 8) Consult your company style guide, so it is uniformed 9) determine review cycles to keep the document up to date 10) Also set up a review with additional stakeholders that have an interest in policy. 11) Identify any gaps before publishing your policy. 12) Have a game plan how you will communicate the policy of the organization 13) always publish your policy where all employees have access 14) make sure you have a plan to communicate to users 15) lastly make sure you regularly update and review the policy. This is a living document and should not become shelf ware.

  1. How/why/when is it used in practice?

An information Security policy is needed at each step of the information security program. Your program is only as good as the policies you have in place. Policies are used to control the use of hardware, define users access to applications, what users have access to and how email and internet usage the number of policies depends on the company needs and goals. Your policy should give direction and understand your target audience. Remember when creating your policy you are protecting the organization data with confidentially, integrity and availability.


  1. Different types of the product/standards/regulation associated with the topic.

The regulations for writing a policy is it should not conflict with the law, must be able to stand up in court and have the proper support. Depending on your organization the regulation to follow is PCI Data Security, HITECH Act, HIPAA (Health Insurance Accountability and Portability Act), SOX (Sarbanes Oxley), ISO family of security standards and GLBA (Graham-Leach-Bliley Act). The policy written for the organizations determines the standards. They’re not really products for writing policies but their guidance from NIST document, Books and organizations like SANS and ISACA.

  1. Your recommendation on the topic and its future viability to Information Security

My recommendation for the topic is doing an assessment on your application to understand what’s needed to be protected. This way your policies can be written to protect the assets and the organization from threats and vulnerabilities. Policies need to have the support of management and enforceable. Any type of policy enterprise information security policy, Issue-specific and system-specific need to be written in a way that is easy for the user to understand.

  1. What do you think the next step is for the topic?

The next step for policies is trained security personnel that understand the difference between a policy, standard and guidelines. How to explain why policies are important to protecting the organization’s reputation and cost benefits Also need to understand the business needs and the assets being protected. To have a strong understanding of the law to know what is enforceable. As security personnel you need to know the important people to pull in like legal, management, human resources, administrators depending on the policy being written.

  1. What possible research application can be investigated for your topic?

For my topic, there are not really an application you can investigate, but there are several websites like CERT, vendor sites, antivirus software sites that help you stay on top of the latest vulnerability. These sites help you to stay up to date with the current threats facing your application and network. Also need to stay on top of president executive orders, FISMA, NIST and the Laws.


The main goal of security is protecting the confidentiality, integrity and availability of company assets. You must determine what you are protecting, how to protect. A policy is the life line to information security in a company. Having a policy shows the company due diligence in protecting assets. Know the key player and have management buy in. Perform a risk assessment on your application to know what threats are facing your company. This gives a baseline for your policy. Knowing your risk can help you set priorities on which policies are needed first and most cost-effective.


Once you have the policy created, and the users trained. Remember a policy a living document and must be reviewed on a regular basis to adapt to a changing environment.

1 reply

Trackbacks & Pingbacks

  1. […] post What’s Needed for a Successful Information Security Policy? appeared first on […]

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.