How to make a IT-security policy – A step-by-step guide with free template
Anders Bryde Thornild
• 15. JULY 2020 • READ 7 MIN.
In this blog post, I will take you through our template for an effective Information security policy. You will be able to create a policy for your organization and, therefore, increase the IT-security in your organization. The IT-security policy is an important tool to achieve and maintain a healthy and good IT-security culture in your organization.
What is the difference between an IT-security policy and guidelines for IT usage?
When you work with IT-security in your organization, it can be highly useful to have an IT-security policy and guidelines for IT-usage. With a policy and a set of guidelines, you set the tone for your IT-security work which will make your security stronger.
The purpose of an IT-security policy is to provide a general framework for the organization that includes objectives and delegates the responsibility for IT-security. It is a small document with only a few pages and is viewed as a management memo with ambitions for the organizations’ IT-security actions.
The “Guidelines for IT-usage“ is a larger document with rules and guidelines which all employees must follow. Where the policy is general and strategic, the guidelines are concrete and implementable.
In this blog post, I will go through the template for an effective IT-security policy and inform you on what you should be aware of when you create a policy of your own for your organization.
The IT-security policy: Step-by-step
The purpose of the IT-security policy is, as previously mentioned, to create the framework for the organizations’ IT-security work. The policy will help you to make objectives, delegate responsibility, and report progress.
I will now go through each step of the template with comments on how to use it and what to be aware of.
We highly recommend that you follow the template while reading this guide because it is filled with useful examples.
The IT-security policy contains seven sections that you need to consider and complete. These sections are:
Step 1: Purpose
The first section you need to consider is the purpose of the policy. The purpose will almost always be to set the framework for the management of information security in the organization. In this section, you could, for instance, write something as:
“The security policy defines the framework for the management of information security in X.”
Step 2: Validity
Validity deals with whom the policy affects. Often this would be all employees in the organization. However, it could also include consultants who work for the organization and everybody who uses the IT-system in the organization. Thus, it is up to you to decide who is included in the policy.
It could sound like:
“The security policy applies to all employees in X and the entire access to X’s information systems.”
Step 3: Objectives
The third section is the objectives. In many ways, the objectives are the central element of the policy. This is the place where you define what you want to achieve. You are in line with your policy if you comply with the objectives.
In our template, there are 8 examples of potential objectives that can be used, adjusted, or deleted to fit your organization. It is important to consider why you choose the objectives you choose and whether they are realistic. The 8 examples can be found in the template, but you can see one of them here:
“ORG X uses a risk-based approach where the level of protection and its cost must be based on the business risk and impact assessment that must be carried out annually as a minimum”
The examples in our template point in the direction of already existing frameworks such as ISO270001: 2013. It does so because it is not necessary to reinvent the wheel. It is perfectly fine for you to use already existing frameworks.
In the examples, we use the word endeavors a few times. Some people would point out that it is vague to use a word as endeavors in an objective. The use of this word must be understood as an understanding of the amount of work it takes to comply with ISO27001:2013 and all the GDPR-regulations. For many organizations, it would be an unrealistic objective to comply with. Therefore, by using the word endeavors you set demands for moving in the right direction, but you also accept that it is a journey. A lot of organizations simply cannot comply with all rules from day one.
The policy is a document that is always in progress and needs to be reassessed regularly. The wording can change many times while you get smarter and better in your organization. Thus, by reassessing and updating the policy every year you will see changes in the objectives to make them fit your organization.
It ensures that the policy does not become a old dusty document but an active tool in your security work.
Step 4: Organization and responsibility
You must delegate the responsibility for IT security across the organization. The policy can be an effective way of doing this.
It is perhaps the person who is responsible for IT who sits with the daily tasks and operations but there must be responsibilities and tasks in other positions in the organization. At every level of the organization, from Board Members to employees, there is responsibility.
As shown in the template a delegation of responsibility could be something like:
- The board of directors has the ultimate responsibility for information security in X.
- The executive board is responsible for management principles and delegates specific responsibilities for protective measures, which includes ownership of information systems.
- Ownership is set for every critical information system. The owner establishes how.
- The IT-department consults, coordinates, controls, and reports on the status of the security. The IT-department prepares guidelines and procedures.
- The individual employee is responsible for complying with the security policy and being informed about it in the “IT-usage policy”.
It is important to note that it is not necessarily the IT department that has ownership for every information system. It could be, for instance, the marketing department that holds ownership for the company webpage. Hence, it is important that the responsibility delegation mirrors the organization’s reality.
Step 5: Waiver
Waivers are exceptions where responsibility and objectives are not applicable. If you do not have any clear exceptions, you can formulate a statement as such that allows changes in the future if needed:
“Waivers for X’s information security policy and guidelines are approved by the IT-department based on the guidelines laid out by the executive board.”
Step 6: Reporting
Reporting is important because it creates a loop and process in the work related to IT security. The reporting highlights the areas of responsibility. If the IT department, for example, must report to the executive board, you ensure that progress is created because the IT department must show results in the reports.
The reporting ensures progress in the work with objectives and assures that responsibilities are respected.
The section could be formulated as follows:
- The IT-department informs the executive board about all relevant security breaches
- Status of waivers are included in the IT-department’s annual report to the executive board
- The executive board reviews the security status annually and reports to the board of directors afterward
Step 7: Violation
The last step in the IT security policy deals with what happens if someone intentionally violates the policy. It could be the HR department’s responsibility to deal with such violations or it may even be the person responsible for the entire IT. The important aspect is to have it on paper who needs to act in case of a violation. In that way, you ensure that the situation is handled. In our template we have written:
“Intentional violation and abuse are reported by the IT-department to the HR-department and the closest authority with lead responsibility. Violation of the information security policy and supporting guidelines may result in employment law consequences.”
The Information security policy is the framework for your security
These seven sections are your policy. It does not need to take up more space than a few pages because it is “just” the framework for the organization’s security work.
When the ambitions and objectives are in place, you and your organization can dive into more concrete rules and guidelines which employees need to follow. These rules and guidelines are usually written in another document called “Guidelines for IT usage”. You can find our guide and template HERE.
Together the Information security policy and the Guidelines for IT usage create the foundation for a strong IT security culture in your organization.
It is important to update the documents annually to make sure that they are up to date and useful. You need to actively work with the objectives and rules in those two documents to make sure that your organization moves forward.
I hope you found the template useful!