If you have been asked to draft an IT security policy for your organization and you’re wondering how to get started, you’ve come to the right place.
Technology professionals are frequently asked to craft security policies for their organization. IT and security policies should follow the same format as the organization’s existing policies.
A policy statement should be no longer than absolutely necessary. It should be clear and direct. It should not be aspirational or include best practices that the organization does not have the resources to reasonably achieve. It must be consistent with applicable laws and regulations.
Policy documents are often drafted by different people across the organization at different periods of time in the organization’s life-cycle. This is usually evident by a lack of cohesive style and formatting when you review all of an organization’s policies at the same time. Consider using a policy template format to achieve consistency.
Below is a simple to use and easy to follow format:
A simple statement that outlines the common-sense reason the policy exists.
This paragraph outlines the intended audience of people, data, systems and assets covered by the policy. Alternatively, it may also define items that are considered out of scope.
This section outlines the objectives of the policy, as well as what it aims to achieve. This should be the most detailed section of the document and may be broken into smaller segments to improve clarity. However, it is important to note that this section should only include the “what”, not the “how”.
- Responsibilities, Rights and Duties of Personnel
This section must designate the roles and responsibilities of all personnel defined in the scope. First, it must define who is responsible for implementation of the policy. Second, it also must outline who is accountable. The best practice is for those to be different individuals and defined by position title. For the staff identified in the scope, they need to know when an incident occurs, if there is there a duty to report issue. If so, to who, by when and how.
This section defines who has responsibility for enforcement and potential consequences.
Include definitions for any technical terms used in the policy.
- Governing Laws & Regulations
If applicable, list any laws or regulations (including security frameworks such as NIST or ISO and standards such as PCI and GDPR) that govern the policy or with which the policy must comply. If there are no pertinent governing laws or regulations, you may delete this section.
- Revision History Log
Finally, there should be a section at the end of the file to outline when the policy was originally drafted and approved. It can then be used to log when revisions occur and are approved.
Most associations have one or more groups of policy documents. Depending on their intended audience, they may require review and approval from HR, legal and/or senior management. In some cases, they may require approval from the Board of Directors. To keep the content focused and reduce the number of times the policy must be reapproved, it is best practice to house policies and procedures in separate documents.
After policy has been adopted by the appropriate governing group, consider creating formal procedural documents that reinforce and support the policy statements. The procedure defines specify exactly how the policy is to be accomplished. For example, if an audit is required, it should describe the nature of the audit and the frequency.
Having well-crafted policy documents is the first step in an IT security program. We work with associations to draft complete sets of IT security policies, from user policies to technology management policies. If you need further assistance, we’d love to work with you. Contact CIMATRI and ask about our policy sets for organizations required to be PCI compliant or for organizations looking to be GDPR compliant.