An effective security management program relies on various moving parts in a concerted effort to build a formidable organizational security posture.  At the foundation of this comprehensive program must be strong documented security policies that reflect the risk appetite of your organization, while providing relevant meaningful direction and value to your organization’s workforce.  

What is a Security Policy?

The National Institute of Standards and Technology defines Information Security Policies as “an aggregate of directives, regulations, rules, and practices that prescribes how an organization manages, protects, and distributes information” (NIST SP 800-53 Rev. 5, 2017).

The HITRUST Alliance adapted the ISACA definition of Policy to define it as “Overall intention and direction as formally expressed by management, most often articulated in the documents that record high-level principles or course of actions; the intended purpose is to influence and guide both present and future decision making to be in line with the philosophy, objectives and strategic plans established by the enterprise’s management teams.  Policies may provide guidance on specific issues or systems but should not be confused with standards or procedures” (HITRUST, 2018).  In simple terms, a policy is the ‘what’ the organization will do and procedures are the ‘how’.

The Elements of a Security Policy

So, what are the elements that make up a strong Security Policy?

1. Clear and concise language without fillers or ambiguity.  Policies should be easy to understand by those tasked with following, implementing, and enforcing its directives while including proper language to allow for enforcement.  The Federal Register points out in its guidance, Drafting Legal Documents, Principles of Clear Writing, that Words such as “may” or “should” are to be avoided and substituted by “will” or “must” to impose obligation. (Federal Register, n.d.)
2. Include scope and purpose elements. Effective Information Security Policies dictate who, when, and why and to what the directives apply and include accountability that defines the roles and responsibilities of those responsible for following as well as maintaining its contents.  Policies should include how any exceptions are handled and address any approvals required for exception as well as actions taken to enforce the policies and address any violations that occur.  
3. Realistic requirements within the policy. They should dictate what is to occur but remain unspecific as to how the directive is to be carried out or implemented and remain as technology-neutral as possible.  Policies are to set standards, guiding principles, rules and influence decisions.  
4. The policy is continuously maintained. A strong Information Security Policy is an official business record and a living document that is maintained, reviewed and updated on a regular basis, at least annually and when any changes are made to the organization, infrastructure or governance that is within the scope or drives the directives of the policy.   

Writing Effective Policies

Writing Information Security Policies for your organization that address regulatory and compliance requirements should be the foundation of your Information Security Management Program.  Including regulatory requirements such as the Sarbanes-Oxley Act (SOX), The Health Insurance Portability and Accountability Act (HIPAA), The new California Consumer Privacy Act (CCPA) or the Payment Card Industry Data Security Standard (PCI-DSS) may seem like a daunting task, but it does not have to be. 

Loricca has experts on staff that are capable of analyzing and remediating your current policies as well as a library of documents and templates ready to guide your organization and assist in building strong and effective Information Security Policies that will be the mainspring of your Information Security Management Program. Contact our team of experts to get started on updating your current policies today!

This is the first article in the series of articles built around Information Security Policies and Procedures. 

References for Links

Federal Register. (n.d.). Drafting Legal Documents, Principles of Clear Writing. Retrieved from National Archives: https://www.archives.gov/federal-register/write/legal-docs/clear-writing.html

HITRUST. (2018, February). Glossary of Terms and Acronyms. Retrieved from HITRUST Alliance: https://hitrustalliance.net/content/uploads/HITRUST_Glossary_of_Terms_and_Acronyms.pdf

NIST SP 800-53 Rev. 5. (2017). Security and Privacy Controls for Information Systems and Organizations. Retrieved from https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/draft