Information Security Policy Guides Risk Management

By March 4, 2016Uncategorized

The term “policy” is overused jargon with overlapping and confusing meanings.  Information security policy can be several different things.  Company or organizational policies that define a value or a position taken on an issue by an organization, system policies which define a particular computer resource, and firewall policies which define rules for what can pass through the boundary are different things with different purposes.

Here are some thoughts related to good information security policy practices.

It is a leading information risk management practice to operate a company and an information security program from a body of company information security policies.  A number of legal authorities and security frameworks such as ISO 27001 / 27002, NIST, PCI and HIPAA among them require policy.

These authorities all have an expectation that policies are risk-derived.  A risk assessment process that identifies and evaluates the risks to an organization should inform the policy making process.  Typically, this means that regular, routine risk assessments are completed and that the organization maintains a catalog or listing of its risk, commonly referred to as a risk register.  Policies are then written to ensure that all identified risks are covered.

Of course, there are basics that should be in place that can be identified from the various authorities without much risk assessment effort.  These form the foundation of an information security policy base and include:

  • Information security policy and objectives
  • Risk assessment and risk treatment methodology
  • Definition of security roles and responsibilities
  • Inventory of assets
  • Access control policy
  • Acceptable use of assets
  • Operating procedures for IT management including vulnerability management, logging and monitoring
  • Security awareness
  • Secure system engineering principles
  • Business continuity
  • Incident response
  • Supplier security policy
  • Statutory, regulatory, and contractual requirements

We use a variety of sources for information security policies:

Recommendation for Using Templates

When we started Jacadis we often wrote policies from scratch. That was a time consuming and often expensive effort.  It is a benefit that so many templates are available.  One word of caution, however. If you choose the template route, particularly if you pick and choose from those available for free or as open source, make certain you invest the time to make terms consistent across all of your information security and organizational policies.  It is an audit flag when we find information security policies published by an organization with terms that do not match other company policies. Often this is a sign that the policies are paper only and are not being followed.

Policy Lifecycle

A leading practice is for organization’s to review policies annually making sure the policies change as company technology, compliance obligations and risks change.


Doug Davidson
Doug Davidson works with business leaders and executives who are nervous that their company’s critical data might be exposed and who want to ensure they are compliant with government rules and regulations. Understanding information security and risk management in today’s world is a required business skill. Doug thrives on helping business leaders, executives and managers who have to run and grow their business in a complex, risky world and who need help understanding how security enables their business and protects it from threats.

Leave a Reply