Back in 2017, The Economist declared that the world’s most valuable resource is data. And a cursory look at the 2020 Forbes most valuable brands most valuable brands reveals that indeed tech runs the world now.
The downside of this is significant. There’s now great pressure on companies to secure the information in their custody. Recent hacks involving SolarWinds, Twitter, and Garmin indicate that threats to information security continue to evolve, and all organizations have no option but to put in the legwork to establish and maintain required cybersecurity controls, whether their IT is on-premise, on cloud or outsourced.
From a governance perspective, an IT Security Policy is at the heart of this effort.
(This article is part of our Security & Compliance Guide. Use the right-hand menu to navigate.)
According to the ISO 27001:2013 standard, the objective of information security (InfoSec) policies is to provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.
An IT security policy is a type of administrative control that communicates to all stakeholders involved in IT so that they understand what is expected of them in reducing the risks associated with information security. (It is not limited only to the security team.)
It also demonstrates the commitment by the highest level of leadership within the organization to the ideals of the policy, therefore providing direction for the rest of the employees, suppliers, and other stakeholders.
Whether at a strategic or tactical level, the IT security policy states ‘why’ the organization has taken a position to secure its IT systems. Most times, the rationale comes from:
This is crucial from a governance perspective as it sets the tone for the design and implementation of IT security controls, and also institutes the relevant roles and responsibilities required for IT security to be managed effectively.
At the core of any IT security policy is understanding and managing the risks to IT systems and data.
How the organization does this is by defining their chosen approach to achieving the required security posture or characteristics through relevant administrative, physical, and technical controls.
The ITIL® 4 Information Security Management practice spells out some of these security characteristics as follows:
The structure and size of an IT security policy varies from one organization to another, depending on their context:
In terms of content, we can borrow from the CMMC model on what to include in your security policy:
Regardless of the structure, what matters in an IT security policy is that you’re sending out a clear message to the entire organization and its stakeholders on what is required from an IT security standpoint.
The policy must be clear and unambiguous, with the right level of detail for the audience, and made easy to read and understand, especially for non-security experts.
Like other organizational-wide policies, you should create the IT security policy with the input of all relevant stakeholders. It would be imprudent for the IT management to develop a policy by themselves, without the buy-in of business users and external suppliers who they would expect to comply with it. Getting the input of stakeholders ensures broad based support in its implementation and compliance.
Alongside this is the need to communicate the policy to users and suppliers. The best bet for entrenching the IT security policy as the first line of defense against cybersecurity risks are these activities:
A risk-based approach should be used for maintaining the IT security policy.
As your organization monitors and assesses the evolving risks to your IT infrastructure and data, you’ll need to update this policy to ensure its relevance to the changing context.
In addition, measuring compliance to the IT security policy provides feedback to management on whether the policy itself is still effective and relevant. According to COBIT, some sample metrics related to policy compliance include:
An IT security policy that addresses, in particular, information security, is one of your most critical business policies. Without one, you risk your entire business.
Increase management speed and agility across your complex environment
