Does your organization have an Information Security Policy?
To the extent that information security is important to organizations, information security policy is the cornerstone of the information security program.
The National Institute of Standards and Technology (NIST) Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, states that “Information and IT systems are often critical assets that support the mission of an organization. Protecting them can be as important as protecting other organizational resources, such as money, physical assets, or employees.”
“A quality InfoSec program begins and ends with policy” (Whitman, 2014). Information security policy provides the instructions, standards and framework by which an InfoSec program is implemented and guided within the organization.
An information security policy should be “designed to create a productive and effective” workplace, while spelling out the organization’s vision for the authorized and appropriate use of the organization’s IT assets.
There are three major types of information security policies (Whitman, 2014, p. 128):
• Enterprise information security policy (EISP)
• Issue-specific security policies (ISSP)
• System-specific security policies (SysSP)
The EISP can be thought of as the overarching information security program policy that sets the direction of all security policies within the organization, while each subsequent policy type has a more specific scope. The ISSP pertains to specific issues that may address multiple systems under the EISP umbrella, while the SysSP addresses policy, and may prescribe details for specific systems or types of system. The SysSP can easily become the most technical and detailed of the three types of policies, and may prescribe technical configuration procedures for specific systems such as firewalls.
Whitman, M. E., & Mattord, H. J. (2014). Management of Information Security (4th ed.). Stamford, CT: Cengage Learning.
National Institute of Standards and Technology (1996). Special Publication 800-14. Generally Accepted Principles and Practices for Securing Information Technology Systems. Gaithersburg, MD