Security Policy – How to write one?


Consider you are a security expert employed by:

1) A big entertainment company, OR

2) Product Company, OR

3) Manufacturing company. 

And you have been asked to create the security policy for the organization. How would you go about creating one? While the simplest way would be to Google examples of the security policy and copy, paste, and create one. If you have that in mind, you can skip reading this post. However, if you are looking to create a custom security policy that caters to your organization, you are in the right place.

Before we start jumping on how to create a security policy, we must understand what is a policy. Wiki defines a policy as “A policy is a statement of intent and is implemented as a procedure or protocol.” Safeopedia explains it as “Policies are rules, principles, guidelines or frameworks that are adopted or designed by an organization to achieve long-term goals. Policies are formulated to direct and exert influence on all the major decisions to be made within the organization and keep all activities within a set of established boundaries.”

Let’s try to add security to this. Basically, a security policy would be a policy statement that will be designed to provide a long-term vision of the security of the organization. It will be used to create procedures and guidelines or frameworks that will ultimately ensure the cybersecurity posture of the organization. Simply put - An information security policy is a high-level view of what should be done within a company regarding information security.

The question that comes to mind is – One security policy to solve all my problems, provide a high level for every aspect, suggest the intent of the senior management towards security? Isn’t that a little over the top? Well, the security policy is supported by multiple other policies such as AUP (acceptable use policy), incident response policy, security awareness policy, endpoint security policy, and so on and so forth. Take a breather!!!

At this point are you looking for that checklist or set of points that will help you create a smart security policy that you can present to the CISO/ board and earn accolades? Well, there isn’t any checklist or magic wand available. So, what next? Let’s ask for help.

If you follow ISO 27001’s advice, your information security policy will: 

  • Provide information security direction for your organization; 
  • Include information security objectives; 
  • Include information on how you will meet business, contractual, legal, or regulatory requirements; and 
  • Contain a commitment to continually improving your ISMS (information security management system).

But the question still remains on how to create one. Here are some tips:

1. For starters, create a cross-functional team of HR, legal, finance, business, and security experts. 

2. Try to understand the mission and vision of your organization. Your security policy should complement it. 

3. Start with a risk assessment of the organization, and the threats, and vulnerabilities in your scope of business that your policy should address. These will be different for every organization. 

4. You need to articulate what level of security is required for the identified vulnerabilities and areas of concern, matching the required level of protection with the organization’s risk tolerance so that areas, where there’s the lowest tolerance for risk, get the highest levels of security.

5. Your policy should set a high-level tone for the procedures and guidelines that will follow based on this policy. 

Example :
Company ABC’s security model will ensure :
Adequate security awareness and training amongst all employees.

This will set the tone for security awareness policy which will further detail what steps your organization is going to take to ensure security awareness.

6. Be mindful of the regulations and laws of the land you operate in. If your state/country does not allow data to be sent outside the country, your security policy cannot point out the opposite. 

Example :
Company ABC’s security model will ensure :
Data backup across the world to ensure your data is always available.

7. Most important of all – KEEP IT SIMPLE. This is not a measure of you or your organization’s technical prowess. This is a policy to showcase to your employees and customers your intent to keep their information secure at all times. 

Your policy should be reviewed periodically to keep it in line with the changing regulations, organizational policies, and the ever-changing threat landscape.

The below exercise is just an attempt to help you learn. In the practical world, multiple inputs from different stakeholders are taken to formulate a security policy.

Let’s say, we have a company called ABCD which is in the business of producing machines that can manufacture semiconductor chips. What should a security policy for such an organization look like?

Here are some inputs for you:

  1. Major threats – political situations, supply chain issues, high costs, limited buyers
  2. Vision – Enable technology to solve complex problems
  3. Mission – Enable chip-making solutions for the world.

Risk Assessment results:

  1. Extremely confidential information is being handled which needs to be compartmentalized. 
  2. Intellectual property needs extreme ways of protection. Current measures seem insufficient.

(You may think that these are just 5 lines, how am I going to create one from this?). Well, sometimes, you may not have even this much.

I will structure it into 3 parts:

1. Security Vision

2. What ABCD’s model will aim to do

3. Summary statement

ABCD is in the business of manufacturing machines that build chips to power the world. With our groundbreaking technologies, we work towards solving complex problems through technology. Our security vision is to make ABCD provides secure solutions that are reliable in this ever-changing threat landscape.

Our technologies have a deep impact on all the lives in the world and hence our security model would ensure:

  • Compliance with legal statutory regulations across the world for our global operations.
  • Deployment of adequate security measures to protect the intellectual property of the organization.
  • Deployment of industry standards to handle security threats and vulnerabilities.
  • Deploy measures for adequate security awareness amongst the employees
  • Deploy the latest tested technologies to ensure endpoint security.
  • Deploy a security governance framework to measure performance against appropriate targets.
ABCD would continue to monitor its threat landscape and revise this policy periodically.

This by no means is a perfect one. This is just a rough draft that will undergo multiple revisions post inputs from cross-functional teams and the executive management. However, this can be a first step towards writing one.

What are your thoughts on this? (Looking forward to your comments in the comments section below.)


You may also like to read...

Identification, Authentication, Authorization, and Accountability

Access Control Models - DAC, MAC, RBAC , Rule Based & ABAC

How to Pass SSCP Exam in the First Attempt

Understanding Security Modes - Dedicated , System high, Compartmented , Multilevel

Cloud Computing - The Logical Model