Setting up an information security policy

8 Dec 2017 Lumina Technologies
Information Security Policy - Lumina Technologies

An information security policy is the same as a staff handbook but focusing on IT and data management. Through it, companies can manage expectations and set out standard rules. This type of policy document is an important tool when it comes to IT security, and will prove to be a vital resource when GDPR comes into effect, because the penalties for non-compliance with data management could be massive.

If you do not let employees know how you like things to be done, how can you expect them to do things in the way you want? That is why companies produce staff handbooks, so people know how they are expected to behave and dress etc when they are at work or representing their company at meetings and events.

Your policy needs to cover topics such as creating passwords, permissions, remote access, data access, monitoring, responsibilities, mandatory training, conduct and disciplinary action, and what happens when a staff member leaves the company.

Managing expectations

Your information security policy needs to be clear, so staff understand what they need to do to ensure your company achieves compliance. You must be willing to police it strictly in order to demonstrate its effectiveness, even if this means you will potentially have to discipline or sack employees who are non-compliant. In order to fully manage expectations, the policy document must also include the consequences of non-compliance.

Information to include

When it comes to the information and instructions you will need to include, it may be useful to think of it in terms of the management of speed limits on the roads.

  • Policy – tells us that we must not exceed the speed limit, but it does not tell us what the limits are.
  • Standards – tells us what the different speed limits are for different types of road.
  • Procedure – tells us how to behave. For instance, if you are on a country road and approaching a sharp bend, the speed limit may be 60mph, but there is a guideline suggesting you drop your speed to 40mph in order to navigate the bend; the procedure will explain the process of slowing down the car in order to get safely round.

Let us use USB sticks as an example of how this could apply to your information security policy. Unencrypted, these tiny devices can become a huge security nightmare – as it did for Heathrow Airport recently, when an unencrypted USB stick was picked up from the street and accessed. USB sticks are so small, it is almost inevitable that one or more will get lost at some point, which makes it crucial that everyone follows your information security policy to the letter. The information you need to include should be something like this:

  • Policy – you insist that only encrypted USB sticks can be used to remove data from your premises.
  • Standards – type of USB drive, technical information about encryption.
  • Procedure – how to encrypt drives, or who to go to for help.

If you would like help drawing up your company’s information security policy, contact us to book an appointment to discuss your needs.

 

Contact Lumina

We use cookies to ensure that we give you the best experience on our website.