Given the many threats organizations face in protecting critical information and processes, an information security policy is arguably one of the most important documents an organization can create. Consider these best practices for creating a new security policy and keeping an existing policy up to date.
* Ensure that senior management will support the security policy. Bring senior management into the policy creation process early, and make sure the policies are designed to fulfill the business objectives of the organization. Set up a series of interview questions intended to provide a clear understanding of their position on security risk.
* Consider using a security policy template or other authoritative guideline. This will provide the basic framework for the policy document and can be customized to address the needs of a specific organization. Good resources can be found at the ISO series (27001, 27002 or 27005 at iso.org); the National Institute of Standards and Technology (NIST) Publication 800-14 at tinyurl.com/23jst6; and ISACA's Control Objectives for Information and related Technology (CoBIT) at isaca.org.
* Include consequences for noncompliance. Work with the human resources and legal departments to include appropriate sanctions, which can include termination or prosecution.
* Thoroughly review applicable laws. Ensure the security policy complies with the organization's regulatory environment, including: FTC Red Flag Rules, Health Insurance Portability and Accountability Act (HIPAA) regulations on the release of medical information, the Gramm-Leach-Bliley Act, applicable state-specific laws, and e-discovery requirements.
* Use clear and concise ideas to communicate the security policy. Use directive wording (must, will, etc.) and nontechnical terms that employees can understand. Policies should be written independent of specific operating systems or software applications. …