In this blog post, I will take you through our template for an effective IT security policy. You will be able to create a policy for your organisation and, therefore, strengthen the IT security in your organisation. The IT security policy is an important tool to achieve and maintain a healthy and good IT security culture in your organisation.
When you work with IT security in your organisation, it can be highly useful to have an IT security policy and Acceptable Use Policy. With a policy and a set of guidelines, you set the tone for your IT security work which will make your security stronger.
The purpose of an IT security policy is to provide a general framework for the organisation that includes objectives and delegates the responsibility for IT security. It is a small document with only a few pages and is viewed as a management memo with ambitions for the organisations’ IT security actions.
The Acceptable Use Policy is a larger document with rules and guidelines which all employees must follow. Where the policy is general and strategic, the guidelines are concrete and implementable.
In this blog post, I will go through the template for an effective IT security policy and inform you of what you should be aware of when you create a policy of your own for your organisation.
The purpose of the IT security policy is, as previously mentioned, to create the framework for the organisations’ IT security work. The policy will help you to make objectives, delegate responsibility, and report progress.
I will now go through each step of the template with comments on how to use it and what to be aware of.
We highly recommend that you follow the template while reading this guide because it is filled with useful examples.
The IT security policy contains seven sections that you need to consider and complete. These sections are:
The first section you need to consider is the purpose of the policy. The purpose will almost always be to set the framework for the management of information security in the organisation. In this section, you could, for instance, write something as:
“The security policy defines the framework for the management of information security in X.”
Validity deals with whom the policy affects. Often this would be all employees in the organisation. However, it could also include consultants who work for the organisation and everybody who uses the IT system in the organisation. Thus, it is up to you to decide who is included in the policy.
It could sound like:
“The security policy applies to all employees in X and the entire access to X’s information systems.”
The third section is the objectives. In many ways, the objectives are the central element of the policy. This is the place where you define what you want to achieve. You are in line with your policy if you comply with the objectives.
In our template, there are 8 examples of potential objectives that can be used, adjusted, or deleted to fit your organisation. It is important to consider why you choose the objectives you choose and whether they are realistic. The 8 examples can be found in the template, but you can see one of them here:
“ORG X uses a risk-based approach where the level of protection and its cost must be based on the business risk and impact assessment that must be carried out annually as a minimum”
The examples in our template point in the direction of already existing frameworks such as ISO270001: 2013. It does so because it is not necessary to reinvent the wheel. It is perfectly fine for you to use already existing frameworks.
In the examples, we use the word endeavours a few times. Some people would point out that it is vague to use a word as endeavours in an objective. The use of this word must be understood as an understanding of the amount of work it takes to comply with ISO27001:2013 and all the GDPR regulations. For many organisations, it would be an unrealistic objective to comply with. Therefore, by using the word endeavours you set demands for moving in the right direction, but you also accept that it is a journey. A lot of organisations simply cannot comply with all rules from day one.
The policy is a document that is always in progress and needs to be reassessed regularly. The wording can change many times while you get smarter and better in your organisation. Thus, by reassessing and updating the policy every year you will see changes in the objectives to make them fit your organisation.
It ensures that the policy does not become an old dusty document but an active tool in your security work.
You must delegate the responsibility for IT security across the organisation. The policy can be an effective way of doing this.
It is perhaps the person who is responsible for IT who sits with the daily tasks and operations but there must be responsibilities and tasks in other positions in the organisation. At every level of the organisation, from board members to employees, there is responsibility.
As shown in the template a delegation of responsibility could be something like:
It is important to note that it is not necessarily the IT department that has ownership for every information system. It could be, for instance, the marketing department that holds ownership for the company webpage. Hence, it is important that the responsibility delegation mirrors the organisation’s reality.
Waivers are exceptions where responsibility and objectives are not applicable. If you do not have any clear exceptions, you can formulate a statement as such that allows changes in the future if needed:
“Waivers for X’s information security policy and guidelines are approved by the IT department based on the guidelines laid out by the executive board.”
Reporting is important because it creates a loop and process in the work related to IT security. The reporting highlights the areas of responsibility. If the IT department, for example, must report to the executive board, you ensure that progress is created because the IT department must show results in the reports.
The reporting ensures progress in the work with objectives and assures that responsibilities are respected.
The section could be formulated as follows:
The last step in the IT security policy deals with what happens if someone intentionally violates the policy. It could be the HR department’s responsibility to deal with such violations or it may even be the person responsible for the entire IT. The important aspect is to have it on paper who needs to act in case of a violation. In that way, you ensure that the situation is handled. In our template we have written:
“Intentional violation and abuse are reported by the IT department to the HR department and the closest authority with lead responsibility. Violation of the information security policy and supporting guidelines may result in employment law consequences.”
These seven sections are the contents of your policy. It does not need to take up more space than a few pages because it is ‘just’ the framework for the organisation’s security work.
When the ambitions and objectives are in place, you and your organisation can dive into more concrete rules and guidelines which employees need to follow. These rules and guidelines are usually written in another document – the Acceptable Use Policy.
Together, the IT security policy and the Acceptable Use Policy create the foundation for a strong IT security culture in your organisation.
It is important to update the documents annually to make sure that they are up to date and useful. You need to actively work with the objectives and rules in those two documents to make sure that your organisation moves forward.
I hope you found the template useful!
Join our 2000+ subscribers and sign up for our newsletter. You will receive inspiration, tools and stories about good cyber security practice directly in your inbox. Our newsletter is sent out approximately once a month.