How to Write an Effective IT Security Policy

If you have been asked to draft an IT security policy for your organization and you're wondering how to get started, you’ve come to the right place. 

Technology professionals are frequently asked to craft security policies for their organization. IT and security policies should follow the same format as the organization’s existing policies.

A policy statement should be no longer than absolutely necessary. It should be clear and direct. It should not be aspirational or include best practices that the organization does not have the resources to reasonably achieve.  It must be consistent with applicable laws and regulations.

Policy documents are often drafted by different people across the organization at different periods of time in the organization’s life cycle. This is usually evident by a lack of cohesive style and formatting when you review all of an organization’s policies at the same time. Consider using a policy template format to achieve consistency.

IT Security Policy Template

Below is a simple-to-use and easy-to-follow format to help you write your security policy.

• Purpose
  A simple statement that outlines the common-sense reason the policy exists.
• Scope
  This paragraph outlines the intended audience of people, data, systems, and assets covered by the policy. Alternatively, it may also define items that are considered out of scope.
• Objectives
  This section outlines the objectives of the policy, as well as what it aims to achieve. This should be the most detailed section of the document and may be broken into smaller segments to improve clarity. However, it is important to note that this section should only include the “what”, not the “how”. 
• Responsibilities, Rights & Duties of Personnel
  This section must designate the roles and responsibilities of all personnel defined in the scope. First, it must define who is responsible for implementation of the security policy.  Second, it also must outline who is accountable.  The best practice is for those to be different individuals and defined by position title. For the staff identified in the scope, they need to know when an incident occurs, if there is there a duty to report issue. If so, to who, by when and how.
• Enforcement
  This section defines who has responsibility for enforcement and potential consequences.
• Definitions
  Include definitions for any technical terms used in the policy. 
• Governing Laws & Regulations
  If applicable, list any laws or regulations (including security frameworks such as NIST or ISO and standards such as PCI and GDPR) that govern the policy or with which the policy must comply. If there are no pertinent governing laws or regulations, you may delete this section.
• Revision History Log
  Finally, there should be a section at the end of the file to outline when the policy was originally drafted and approved.  It can then be used to log when revisions occur and are approved.

Approval & Implementation

Most associations have one or more groups of policy documents. Depending on their intended audience, they may require review and approval from HR, legal and/or senior management. In some cases, they may require approval from the Board of Directors. To keep the content focused and reduce the number of times the policy must be reapproved, it is best practice to house policies and procedures in separate documents.

After the security policy has been adopted by the appropriate governing group, consider creating formal procedural documents that reinforce and support the policy statements. The procedure defines specify exactly how the policy is to be accomplished. For example, if an audit is required, it should describe the nature of the audit and the frequency.

Getting Started

Having well-crafted policy documents is the first step in an IT security program. We work with associations to draft complete sets of IT security policies, from user policies to technology management policies. If you need further assistance, we’d love to work with you. Get in touch with us to learn about our policy sets for organizations required to be PCI compliant or for organizations looking to be GDPR compliant.