• United States




9 policies and procedures you need to know about if you’re starting a new security program

Mar 16, 20186 mins
Access ControlData and Information SecurityDisaster Recovery

Any mature security program requires each of these infosec policies, documents and procedures.

blue padlock in circle pixels digital security padlock
Credit: Getty Images

Building and managing a security program is an effort that most organizations grow into overtime. I have worked with startups who had no rules for how assets or networks were used by employees. I also have worked at established organizations where every aspect of IT and cybersecurity was heavily managed. The goal is to find a middle ground where companies can responsibly manage the risk that comes with the types of technologies that they choose to deploy.

In establishing the foundation for a security program, companies will usually first designate an employee to be responsible for cybersecurity. It will be this employee who will begin the process of creating a plan to manage their company’s risk through security technologies, auditable work processes, and documented policies and procedures.

A mature security program will require the following policies and procedures:

1. Acceptable Use Policy (AUP)

An AUP stipulates the constraints and practices that an employee using organizational IT assets must agree to in order to access to the corporate network or the internet. It is standard onboarding policy for new employees. They are given an AUP to read and sign before being granted a network ID. It is recommended that and organizations IT, security, legal and HR departments discuss what is included in this policy. An example that is available for fair use can be found at SANS.

2. Access Control Policy (ACP)

The ACP outlines the access available to employees in regards to an organization’s data and information systems. Some topics that are typically included in the policy are access control standards such as NIST’s Access Control and Implementation Guides. Other items covered in this policy are standards for user access, network access controls, operating system software controls and the complexity of corporate passwords. Additional supplementary items often outlined include methods for monitoring how corporate systems are accessed and used; how unattended workstations should be secured; and how access is removed when an employee leaves the organization. An excellent example of this policy is available at IAPP.

3. Change Management Policy

A change management policy refers to a formal process for making changes to IT, software development and security services/operations. The goal of a change management program is to increase the awareness and understanding of proposed changes across an organization, and to ensure that all changes are conducted methodically to minimize any adverse impact on services and customers. A good example of an IT change management policy available for fair use is at SANS.

4. Information Security Policy

An organization’s information security policies are typically high-level policies that can cover a large number of security controls. The primary information security policy is issued by the company to ensure that all employees who use information technology assets within the breadth of the organization, or its networks, comply with its stated rules and guidelines. I have seen organizations ask employees to sign this document to acknowledge that they have read it (which is generally done with the signing of the AUP policy). This policy is designed for employees to recognize that there are rules that they will be held accountable to with regard to the sensitivity of the corporate information and IT assets. The State of Illinois provides an excellent example of a cybersecurity policy that is available for download.

5. Incident Response (IR) Policy

The incident response policy is an organized approach to how the company will manage an incident and remediate the impact to operations. It’s the one policy CISOs hope to never have to use. However, the goal of this policy is to describe the process of handling an incident with respect to limiting the damage to business operations, customers and reducing recovery time and costs. Carnegie Mellon University provides an example of a high-level IR plan and SANS offers a plan specific to data breaches.

6. Remote Access Policy

The remote access policy is a document which outlines and defines acceptable methods of remotely connecting to an organization’s internal networks. I have also seen this policy include addendums with rules for the use of BYOD assets. This policy is a requirement for organizations that have dispersed networks with the ability to extend into insecure network locations, such as the local coffee house or unmanaged home networks. An example of an remote access policy is available at SANS.

7. Email/Communication Policy

A company’s email policy is a document that is used to formally outline how employees can use the business’ chosen electronic communication medium. I have seen this policy cover email, blogs, social media and chat technologies. The primary goal of this policy is to provide guidelines to employees on what is considered the acceptable and unacceptable use of any corporate communication technology. An example of an email policy is available at SANS.

8. Disaster Recovery Policy

An organization’s disaster recovery plan will generally include both cybersecurity and IT teams’ input and will be developed as part of the larger business continuity plan. The CISO and teams will manage an incident through the incident response policy. If the event has a significant business impact, the Business Continuity Plan will be activated. An example of a disaster recovery policy is available at SANS.

9. Business Continuity Plan (BCP)

The BCP will coordinate efforts across the organization and will use the disaster recovery plan to restore hardware, applications and data deemed essential for business continuity. BCP’s are unique to each business because they describe how the organization will operate in an emergency. Two examples of BCP’s that organizations can use to create their own are available at FEMA and Kapnick.

The above policies and documents are just some of the basic guidelines I use to build successful security programs. There are many more that a CISO will develop as their organization matures and the security program expands.

There are two resources I would recommend to people who have been selected to create their company’s first security policies. The first, as highlighted above, is the SANS Information Security Policy Templates website with numerous policies available for download Another source I would recommend is an article by CSO that lists links for policies focused on unique issues such as privacy, workplace violence and cellphone use while driving, to name a few.

Always remember to evangelize your new policies and guidelines with employees. It’s essential that employees are aware and up-to-date on any IT and cybersecurity procedure changes.


As Chief Information Security Officer (CISO), Gary Hayslip guides Webroot’s information security program, providing enterprise risk management. He is responsible for the development and implementation of all information security strategies, including the company’s security standards, procedures, and internal controls. Gary also contributes to product strategy, helping to guide the efficacy of Webroot’s security solutions portfolio.

As CISO, his mission includes creating a “risk aware” culture that places high value on securing and protecting customer information entrusted to Webroot. Gary has a record of establishing enterprise information security programs and managing multiple cross-functional network and security teams. Gary is co-author of “CISO Desk Reference Guide: A Practical Guide for CISOs” focused on enabling CISOs to expand their expertise and scope of knowledge.

Gary’s previous information security roles include CISO, Deputy Director of IT and senior network architect roles for the City of San Diego, the U.S. Navy (Active Duty) and as a U.S. Federal Government employee. In these positions he built security programs from the ground up, audited large disparate networks and consolidated and legacy network infrastructure into converged virtualized data centers.

Gary is involved in the cybersecurity and technology start-up communities in San Diego where he is the co-chairman for Cybertech, the parent organization that houses the cyber incubator Cyberhive and the Internet of Things (IoT) incubator iHive. He also serves as a member of the EvoNexus Selection Committee where he is instrumental in reviewing and mentoring cybersecurity and IoT startups. Gary is an active member of the professional organizations ISSA, ISACA, OWASP, and is on the Board of Directors for InfraGuard. Gary holds numerous professional certifications including: CISSP, CISA and CRISC, and holds a Bachelor of Science in Information Systems Management and a Master’s degree in Business Administration. Gary has more than 28 years of experience in information security, enterprise risk management and data privacy.

The opinions expressed in this blog are those of Gary Hayslip and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author