What should be detailed in a security policy

Last week I looked at some of the high-profile data leaks

over the last year—it’s clear that enormous numbers of people have had their

personal details put at risk because firms fail to properly protect them. Today,

identity theft is rampant and all measures should be taken to protect people

from criminals, both by having the proper measures in place to eliminate the

risk of unauthorised access and by having processes in place to minimise

exposure should the worst happen.

The Joint Information

Systems Committee

(JISC) defines the three key aspects of information

security as:

  • Availability – Knowing the information can always be accessed
  • Integrity – Knowing that the information stored is accurate and has not been modified without approval
  • Confidentiality – Knowing that information can only be accessed by those with authorisation

It seems to be widely accepted that a high-level document is

the best approach when developing a policy—this means the document should be

short (but also comprehensive), easy to understand, and only contain the key

points to be understood by those required to comply. Inclusions would be

definitions of responsibilities, limitations, emergency procedures, and the

consequences of failing to comply with these requirements. Ideally a policy

should avoid being tied in to any particular system or technology; rather it

should give a well rounded overview which will not need to change as technology

evolves. If required, separate guidelines and procedures can be referenced,

dealing with more specific areas of concern. Above all, the most important

consideration should be that the policy needs to be enforceable.

To summarise, the JISC

provide a very useful set of bullet points to show what must be included to

ensure the construction of a comprehensive policy:

  • The purpose and scope of the policy
  • Guidelines for day to day security practice
  • Clear emergency procedures
  • A definition of responsibilities
  • Appropriate and enforceable sanctions
  • References to supplementary documents (as required)

The guidelines for day-to-day security practice can include

many areas of security, from user access and password guidelines to the backup

of confidential data. Other areas include the use of encryption for wireless

access, mobile storage, and site-to-site tunnels; firewall and anti-virus

requirements for individual machines; and the types of attachments that are allowed

to pass through an email system. It's also a good idea to define procedures for

keeping systems up to date with the latest security patches, therefore ensuring

that security won’t be breached by someone exploiting a known weakness (this

could be costly, not to mention very embarrassing!).

There is a great deal of reference material available to

help you construct an appropriate information security policy for your


Information Security Policies’ by Scott Barman contains a wealth of

information covering all areas of an information security policy—physical

security, Internet and Email, viruses, and encryption. In this book, Scott also

covers maintenance of policies, acceptable use and enforcement. As I said

before, the JISC provides some very useful guidelines on Information Strategies,

and even though it's geared to give guidance to higher education institutions,

the information is directly applicable to all other sectors.

I hope you have been inspired to craft your own information

security policy, or will be polishing up one that you have already. If you have

any good resources to share on this subject, why not leave a comment and share

them with us?

Editor's Picks

Free Newsletters, In your Inbox