The purpose of the IT security policy is, as previously mentioned, to create the framework for the organisation’s IT security work. The policy will help you make objectives, delegate responsibility, and report progress.
I will now go through each step of the IT security policy template with comments on how to use it and what to be aware of.
We highly recommend that you follow the template while reading this guide, because it is filled with useful examples.
The IT security policy contains seven sections that you need to consider and complete. These sections are:
The first section you need to consider is the purpose of the information security policy. The purpose will almost always be to set the framework for the management of information security in the organisation. In this section, you could, for instance, write something like:
“The security policy defines the framework for the management of information security in X.”
Step 2: Validity
Validity deals with whom the IT security policy affects. Often, this would be all employees in the organisation. However, it could also include consultants who work for the organisation and everybody who uses the organisation’s IT systems. Thus, it is up to you to decide who is included in the policy. It could sound like:
“The security policy applies to all employees in X and the entire access to X’s information systems.”
Step 3: Objectives
The third section outlines the objectives. In many ways, the objectives are the central element of the policy. This is the place where you define what you want to achieve. You are in line with your information security policy if you comply with the objectives.
In our template, there are 8 examples of potential objectives that can be used, adjusted, or deleted to fit your organisation. It is important to consider why you choose the objectives you choose and whether they are realistic. The 8 examples can be found in the template, but you can see one of them here:
“ORG X uses a risk-based approach where the level of protection and its cost must be based on the business risk and impact assessment that must be carried out annually as a minimum”
The examples in our IT policy template point in the direction of already existing frameworks, such as the ISO 270001. They do so because it is not necessary to reinvent the wheel when you write a security policy. It is perfectly fine for you to use already existing frameworks.
Create realistic objectives
In the examples, we use the word endeavours a few times. You might think that it is vague to use the word “endeavours” in an objective, but we use this word in acknowledgement of the amount of work it takes to ensure that your organisation complies with the GDPR regulations. For many organisations, it could be an unrealistic objective to comply with. Therefore, by using the word endeavours you set demands for moving in the right direction, but you also accept that it is a journey. A lot of organisations simply cannot comply with all the rules from day one.
The objectives change as your organisation does
The information security policy is a document that is always in progress and needs to be reassessed regularly. The wording can change many times while your organisation becomes more secure. Thus, by reassessing and updating the policy every year, you will see changes in the objectives to make them fit your organisation’s progress.
Regularly reviewing your IT security policy ensures that the policy does not become an old dusty document but remains an active tool in your security work.
Step 4: Organisation and responsibility
The responsibility for IT security must be delegated across the organisation. The policy can be an effective way of doing this.
You might choose to appoint an employee who oversees the entire IT department and works with daily tasks and operations, or it could also be the data protection officer. However, you must make sure that other employees in your organisation are also involved and responsible for IT security. The goal is to encourage employees at every level of the organisation to actively participate in strengthening your IT security.
As shown in the IT security policy template, a delegation of responsibility could be something like:
- The board of directors has the ultimate responsibility for information security in X.
- The executive board is responsible for management principles and delegates specific responsibilities for protective measures, which includes ownership of information systems.
- Ownership is set for every critical information system and the owner establishes how this is done.
- The IT department consults, coordinates, controls, and reports on the status of the security. The IT department prepares guidelines and procedures.
- The individual employee is responsible for complying with the information security policy and being informed about it in the 'IT usage policy'.
It is important to note that it is not necessarily the IT department that has ownership of every information system. It could be, for instance, the marketing department that holds ownership of the company webpage. Hence, it is important that the delegation of responsibility mirrors the organisation’s reality.
Step 5: Waiver
Waivers are exceptions where responsibility and objectives are not applicable. If you do not have any clear exceptions, you can formulate a statement as such that allows changes in the future if needed:
“Waivers for X’s information security policy and guidelines are approved by the IT department based on the guidelines laid out by the executive board.”
Step 6: Reporting
Reporting is important because it creates a loop and process in the work related to IT security. The report highlights the areas of responsibility. For example, if the IT department must report to the executive board, you ensure that progress occurs because the IT department must show results in these reports.
Therefore, reporting ensures progress towards the objectives and assures that responsibilities are respected.
The section could be formulated as follows:
- The IT department informs the executive board about all relevant security breaches.
- Status of waivers are included in the IT department’s annual report to the executive board.
- The executive board reviews the security status annually and reports to the board of directors afterward.
Step 7: Violation
The last section of the IT security policy deals with what happens if someone intentionally violates the policy. It could be the HR department’s responsibility to deal with such violations, or it may even be the person responsible for the entire IT department. The important aspect is to determine who needs to act in case of a violation and write it down on paper. In this way, you ensure that the situation can be properly handled. In our IT policy template, we have written:
“Intentional violation and abuse are reported by the IT department to the HR department and the closest authority with lead responsibility. Violation of the information security policy and supporting guidelines may result in employment law consequences.”