2022 Information Security Policy: How Should It Look?
An information security policy is a part of the ITIL Security Framework, as discussed in ITIL foundation certification programs. An information security policy is a document that describes how data and information will be protected in a company. The information security policy must be supported by the top IT Management. This is crucial because if the policy is not supported by management, if there are any leakages or if employees break the policy in some way, it will result in the insecurity of confidential data within the company. This document is an important part of the Information Security Management process. It forms part of the ITIL Service Design Stage. This is covered in all online ITIL trainings.
The information security policy must cover all aspects of security and be appropriate to the business’s needs. It doesn’t make sense if a policy doesn’t meet the needs of the business. The IT service provider is primarily interested in providing services and processes for the business. Information security policies must also be compatible with customer or business requirements. Information security policy is a living document that can be updated as technology advances and business needs change.
What is a good Information Security Policy?
It should contain guidelines for:
Misuse and misuse of IT assets. For example, what are the steps to follow if a USD storage unit containing confidential data of the finance team is lost? What are the actions if the laptop of a top executive is stolen? These should be included in the information security policy.
Access control: How can the information be protected? A user might need to provide a complex password. In the case of highly confidential activities, a second password may be required with a key generator. These access control points should be included in an information security policy. It is important to determine which documents require what level of access control and who will decide who can access them. Can an employee who has access to certain documents give access to another user or must it be authorized by an executive or IT manager? This information security policy must specify this.
Password control: How often should you change your password? What are the minimum and maximum characters required for a password? Will it need complex characters or will digits suffice? These should be documented in the information security policy.
Email & Internet Antivirus: Most corporate companies offer anti-virus software for all computers within the company. Corporate companies also have an internet policy installed on every computer. These policies protect the company’s computers from hackers or external attacks. The policy should also contain information about the firewall of the company and what information can be accessed and exited from the internal network.
How will assets be disposed of? Is it to be burned or thrown in the trash? Some companies have special organizations that collect old storage devices and external disks from companies and burn them in a safe location. It is important to document how an asset will be disposed.
Information and document classification: A company can have many types of data. An example of this is an active directory which includes the names, surnames, as well as contact information for each employee. This information must be readily available.