Call now for cybersecurity help: 888-646-1616
Holly Sagstetter

The Definitive Guide to Building an Information Security Policy

December 20, 2020

Need help with your information security policy? You’ve come to the right place!

Building an information security policy takes time. As you’ll see in this article, there are a lot of items to cover. But you can do it! 

This article will help you whether you’re writing a brand new information security policy or revising an old one. We’re aiming for a practical and complete information security policy. It needs to be usable and understandable! Otherwise, what’s the point?

Get started by grabbing a copy of our free information security policy template. This article will walk you through the major sections of our template. 

What is an Information Security Policy? 

An information security policy is a set of rules and procedures that determine how to handle digital information in your business environment. You need to ensure that users and networks in your company are abiding by security and data protection requirements. 

An information security policy makes you think through and address how data is handled in your business — and it outlines how to keep your data safe. 

sec cybersecurity guidance - Businessman with tablet

8 Critical Elements for Building a Practical Information Security Policy

There are plenty of companies out there who will take your money in exchange for a 300 page template. Please run far away from these companies. Having a huge policy that no one follows is worthless, and in some ways is worse than having no policy at all! 

You need to take the time to build your information security policy the right way. 

Below are 8 important elements for building a practical information security policy - because that’s what you want, right? A policy that you can actually follow, instead of long and useless. 

Be sure to have a copy of our free template as you go through the following list! 

#1 Basics: Ownership, Sanctions, Training, Regulations

One of the most important pieces of your information security policy starts at the very beginning: who takes ownership over this document? Usually one person owns the document, and that person is accountable to the leadership of the company. 

After determining who takes ownership of the policy, it’s important to specify employee training (how, how often and tracking method) and sanctions for those who don’t abide by the policy. 

Next, it’s important to spell out security or privacy regulations that apply to your business. This could include PCI, HIPAA, GLBA or state privacy laws. 

Finally, make a list of your sensitive data - what is it and where is it stored?

#2 Incident Response

Incident response is a very important part of your information security policy. We recently published an in-depth article about incident response:

There are three important pieces to your incident response plan:

  • Who could/should be on your incident response team?
  • What are some examples of incidents your organization may experience?
  • What is the process they will follow?

#3 Third-Party Vendor Management

Auditing your third-party vendors is critical. There have been several high-profile breaches (Target! Home Depot!) involving breaches that started because of third-party vendors. 

Here’s the basic process for third-party vendor management:

  1. Identify your third-party vendors
  2. Find or request information 
  3. Review documents and followup
  4. Address security risks
  5. Schedule security reviews for the following year

Check out our detailed article about third-party vendor management to learn more about the process:


#4 Business Continuity Planning and Disaster Recovery

This next section is very important for your information security policy. Business continuity planning is all about how to keep business running if your primary office is unavailable. Most organizations had to adapt to this idea during the COVID-19 pandemic — most people needed to work remotely. How did they access computer resources? 

We recommend including a call tree because there is always a chance that you can’t communicate via email. Make sure you have current phone numbers and consider testing the call tree throughout the year. 

We’ve published some helpful guides about business continuity planning for those in financial services. But the advice is applicable, no matter your industry:

It’s easy to confuse disaster recovery with business continuity. Business continuity is what happens to people in the event of a disaster, but disaster recovery is what happens to the computers in the event of a disaster. So for the disaster recovery section, you’ll want to explain how to quickly restore critical computer systems.

#5 Records, Paper and Clean Desk Policy

Records retention is an important regulatory requirement but varies by industry. So you’ll need to speak with an attorney about what records you need to retain and for what period of time. 

Paper shredding is related to records retention - what sensitive data do you have on paper and how do you dispose of it? If you use a paper shredding service you need to make sure they are following appropriate standards. We have a HIPAA-specific article about paper shredding services, but the information could apply to most industries:

Do you have a clean desk policy? You should! Learn more about clean desk policies:

Finally, be sure to include details about physical security: alarms, cameras, locked doors, fire alarms, sprinkler systems, etc. Get our physical security checklist:

#6 Acceptable Use

We're getting closer to the end! Acceptable use is critical for your information security policy, and this is definitely a section you want employees to review. Acceptable use is all about how employees are allowed to use their computers. What are they allowed to do and what are they not allowed to do? Be sure to clearly state how employees can use/not use the following:

  • Computers
  • Internet
  • Laptops
  • Mobile devices
  • Remote access
  • Removable media
  • Social media

Want to see an example? The SANS Institute published a great sample of an acceptable use policy

#7 Cybersecurity Technology

This section of your information security policy is all about how you are using technology to protect your data and systems. 

First, let’s look at vulnerabilities and patch management. Unfortunately, we see this over and over: users have auto-updates turned on for Windows (great!) but they neglect the other systems on their computer: Adobe is out of date, Java programs are out of date, etc. You are leaving your system open wide by not updating programs consistently. So an important question to answer is how will you identify systems that are running old software and who will patch them?

Next, address the following categories:

  • Network security
  • Wifi security
  • Email security
  • Internet security
  • Website security
  • Endpoint security
  • Online banking security
  • Server security

Our free infosec policy template provides more details about these cybersecurity technology policy sections. 

#8 Access Control and Passwords

Access control is all about who can access what. We recommend using the concept of least privilege, which means giving people enough access to do their job, but not more than that.

Access control encompasses a few smaller categories:

  • Onboarding: include pre-hire screening
  • Physical: who can access sensitive storage areas?
  • Digital: how do you prevent unauthorized access?
  • Job changes: make sure access is adjusted appropriately
  • Terminations: make sure to address voluntary vs. involuntary terminations

Related to access control is a password policy. You need to determine and explain password requirements, how often you change passwords and when passwords may be shared. 

Some password tips:

  • Passwords should be 12 characters or more and include special characters
  • Use two-factor authentication (2FA) whenever you can
  • Create unique passwords for each system
  • Use a password manager if you need to share passwords

Free Information Security Policy Template

This is the same template we use to create Information Security Policies for clients. Get your copy today:

How Adelia Risk can help

We’re cybersecurity experts who actually help! We won’t leave you with a 200 page door-stop of things to fix. We help you along the way. 

If you need help with your Information Security Policy or Cybersecurity in general, contact us!

Leave a Reply

Your email address will not be published. Required fields are marked *

Do you think we might be a
good match?

We help over 100 of the best financial services, healthcare, and manufacturing companies across the U.S. with their cybersecurity.
Copyright 2023 Adelia Associates, LLC | All Rights Reserved