Try for free
    11.02.2016

    Information Security Policy: What, Why and How

    The introduction of an Information Security Policy is an obvious step for companies who care about their own well-being, and an integral part of all activities to ensure the protection of business. Falcongaze Analytics Center highlights what it means and why it is essential.

    An Information Security Policy describes the main principles and general concept for the organization of information security at a particular company. It should reflect the enterprise's goals for security and the agreed upon management strategy for securing data. When viewed in the narrow context, an Information Security Policy describes and regulates all business processes in terms of their security.

    Why do you need an Information Security Policy?

    The main objective of an information security policy is to enter in the record the information security rules within the organization. Without it, the interaction of employees with a variety of resources will be regulated only informally and therefore the risk of breaches and data leaks will increase. The introduction of the corporate policy will raise the discipline and consciousness of employees and build a foundation based on which you can efficiently organize the work of the company.

    When developing a corporate security policy you should start with determining risks that threaten the company. This means first of all to determine what information assets must be protected, to which threats those assets are subjected, and what damage menaces the company in case of the implementation of these threats.

    The process of introducing protective measures is always a search for a compromise between comfort and risk reduction. Implementation of an Information Security Policy is a kind of formalization of this compromise. The adoption of an Information Security Policy will help to minimize situations in which an average user does not take seriously the recommendations of the Information Security department, or information security officers try to protect everyone from everything, disrupting the effective functioning of the company.

    What an Information Security Policy should contain

    Security must be ensured at all levels, so an Information Security Policy should address all systems, networks, data, software and, of course, users. For example, you compile the list of servers and the list of employees who have access to them, define tasks and responsibilities. Even more important in the development of security regulations is the security policy of workplaces, in particular the policy of working with Web Resources. It regulates the responsibility and duties of employees in terms of working on the Internet.

    All the information should be classified. There should be no ambiguity in the terminology. There also should be references to supporting documents (e.g. guidelines, procedures, technology standards, etc.).

    In addition, an Information Security Policy should include all the measures, which the company uses to monitor compliance with the policies, and specify consequences for non-compliance. Transparency is a must both in creating an Information Security Policy and familiarization of employees with it.

    Monitoring of compliance with an Information Security Policy

    There are various methods of compliance control. Diverse software designed to monitor the activities of employees in the workplace is available both separately and as part of comprehensive products. Such security platforms as Falcongaze SecureTower, in addition to their primary function of data leak prevention, allow to monitor the activities of employees and identify all violations.

    The introduction of an Information Security Policy is not a one-time event, but a long process, which should involve the representatives of IS- and IT departments, as well as heads of other departments, so that everything would be taken into consideration. One of the main goals of an Information Security Policy is to create the basis for all business processes in an organization in terms of their security.

    Important publications

    The SecureTower DLP system

    • Protection against data leaks caused by employees
    • Control of employees' work on computers
    • Identification of potentially dangerous employees (risk analysis)