How to write an effective information security policy

An information security policy is a high-level view of what should be done within a company in regard to information security. Don't treat it as a check-the-box exercise.

cso information security policy risk management writing policy by metamorworks getty 2400x1600
Metamorworks / Getty Images

An information security policy is the foundation of an enterprise security program, ideally establishing in clear language what the organization expects from its security operations based on both its tolerance for risk and on its regulatory obligations.

Yet security advisers say many organizations fail to give adequate attention to writing and maintaining strong information security policies, instead filling in blanks on generic templates and filing them away.

“It’s too often seen [by enterprise leaders] as an exercise to do, so that they can just check the box as done,” says John Pescatore, director of emerging security trends for SANS Institute, a research and education organization focused on information security.

On the other hand, organizations that tailor the information security policy to their own needs and circumstances based on enterprise risk, risk tolerance, regulatory requirements and desired best practices and who opt to actively manage their policy with scheduled reviews and updates when needed create a strong basis for their entire security program. As a result, they’re better positioned to achieve the security posture they seek.

Here are answers to seven common questions about information security policies.

To continue reading this article register now

The 10 most powerful cybersecurity companies