An information security policy is the foundation of an enterprise security program, ideally establishing in clear language what the organization expects from its security operations based on both its tolerance for risk and on its regulatory obligations.Yet security advisers say many organizations fail to give adequate attention to writing and maintaining strong information security policies, instead filling in blanks on generic templates and filing them away.\u201cIt\u2019s too often seen [by enterprise leaders] as an exercise to do, so that they can just check the box as done,\u201d says John Pescatore, director of emerging security trends for SANS Institute, a research and education organization focused on information security.On the other hand, organizations that tailor the information security policy to their own needs and circumstances based on enterprise risk, risk tolerance, regulatory requirements and desired best practices and who opt to actively manage their policy with scheduled reviews and updates when needed create a strong basis for their entire security program. As a result, they\u2019re better positioned to achieve the security posture they seek.Here are answers to seven common questions about information security policies.What is an information security policy?An information security policy is a high-level view of what should be done within a company in regard to information security.\u201cIt\u2019s the baseline that executives use to define what is secure enough for their company,\u201d says Bryce Austin, CEO of the cybersecurity consulting firm TCE Strategy and the author of the book Secure Enough: 20 Questions on Cybersecurity for Business Owners and Executives.Austin compares it to a charter, explaining that it\u2019s not \u201csupposed to solve all the problems, it\u2019s to declare the problems you\u2019ll take on and to provide guidance on how seriously you take them.\u201dWhy do you need an information security policy?Government regulations as well as certain business standards, such as those set by the Payment Card Industry Data Security Standard (PCI DSS), specifically require organizations to develop an information security policy as well as other types of security-related programs.A policy, however, is more than a compliance requirement. It is a tool that alerts the organization on the security risks they face and guides them on how they should counter them and to what degree. It also informs people as to what actions are acceptable, which are not and what measures, rules and restrictions need to be in place to ensure security.\u201cIf you\u2019re going to manage the entire company from the perceptive of security, the policy is the best tool to do that,\u201d says Richard Stiennon, chief research analyst at IT-Harvest and author of Security Yearbook 2020.What is the purpose of an information security policy?The policy also can remove, or at least reduce, inconsistencies in an organization\u2019s approach to security by documenting what\u2019s expected, what\u2019s prohibited, and who has responsibility for what pieces of the security program.\u201cThe importance there is to easily communicate your program and what is appropriate and what is not,\u201d says Andrew Dutton, a virtual CISO with DuHart Consulting.As such, CISOs and their security teams as well as compliance, risk and legal leaders can point to the information within the policy when explaining security-related needs to business units that might be trying to push back on certain procedures or processes put in place to meet the policy objectives.Additionally, the policy can be used to guide an organization\u2019s responses to clients or partners who might ask for proof of adequate security efforts before doing business together.How do you create an information security policy?The CISO typically leads the development of and updates to a security policy, but the CISO should also work with executives from finance, physical security, legal, human resources and a least one business unit to form a committee or working group to collaboratively craft an up-to-date policy.\u201cThe CISO owns responsibility for the policy, but buy-in has to happen from the rest of the executive team,\u201d says Brian Haugli, a partner and co-founder of SideChannel, a strategic cybersecurity consulting and advisory firm.The team should start with a risk assessment to determine the organization\u2019s vulnerabilities and areas of concern, from the potential for a data breach to the chances of a wide-scale system outage. They should assess how those potential incidents would impact the confidentiality, integrity and availability of data and systems. The team also needs to understand the organization\u2019s tolerance for the various risks, outlining which concerns rank as low risk and which would jeopardize the organization\u2019s survival. Then the team should consider the regulatory requirements it must meet.From there, the CISO should articulate what level of security is required for the identified vulnerabilities and areas of concern, matching the required level of protection with the organization\u2019s risk tolerance so that areas where there\u2019s the lowest tolerance for risk get the highest levels of security.Security experts advise CISOs and their teams to use frameworks, such as the ISO\/IEC 27001 standards for information security management systems, to ensure they\u2019re addressing all relevant elements.What should an information security policy include?Although security leaders recommend each organization develop its own unique policy, they also agree that all policies should contain language addressing various fundamental components that are universal.Given that, they say all policies should detail the organization\u2019s security objective, the policy\u2019s scope of coverage, asset classification, asset management, access controls, password management, data classification, acceptable use, antivirus and patch management and even physical security.Dutton says some organizations may also want to include statements around remote access, mobile devices, vendor management and cloud security. Others advise CISO to detail the regulatory requirements that the organization must meet, the information security management structure and which responsibilities belong to which positions.Security leaders also recommend that CISOs aim to craft a policy that\u2019s concise and clearly written. \u201cI find people tend to get overly complicated with the IS policy; it is a charter that should be kept as simple as it can whenever possible,\u201d Austin says.Austin says information security policies should not include detailed descriptions on how the organization will achieve all the objectives presented in the policy. The policies shouldn\u2019t have technical components, either.\u201cIt\u2019s not supposed to tell you how to implement all this,\u201d Haugli adds.What documents should be included in an information security policy?Details on how the organization will meet the information security policy\u2019s objectives can be found in various sub-policies, standards, guidelines and processes. \u201cThat\u2019s where you\u2019re making decisions around certain components of the security policy,\u201d Haugli explains.For example, the information security policy may establish that encryption is required for all data classified as sensitive or confidential, but a separate document provides details on the encryption standards to be met.\u201cWhen I think about an information security policy, I think of it as a global one where I talk about the risk tolerance of the company and the frameworks the company will follow, the very high-level stuff that the CEO needs to worry about,\u201d Austin says. \u201cBut when we get into issues like the password policy, the CEO doesn\u2019t need to know the minimum characters in a password. That requirement does need to exist, just not in the [master] policy. Similarly, we need to know, for example, what ports can be open to the internet or what encryption technology do we use. Those should be found in the technical specifications that support the information security policy.\u201dAccording to Dutton, other topics that may be broken out and detailed in supporting documents include cybersecurity strategy, backup restoration, disaster recovery, business continuity, incident response, data stewardship\/data loss prevention and insider threats.How often should information security policies be updated?Some regulations require annual reviews of the information security policy, but security experts say the rapid pace of technology advances and the ever-evolving threat landscape necessitate more frequent reviews and updates of the supporting standards, guidelines, processes and procedures \u2014 in addition to the master policy itself. \u201cIt\u2019s not a once-a-year activity; it\u2019s continuous,\u201d says Roger Hale, CISO-in-Residence at YL Ventures.Experts acknowledge that it\u2019s unreasonable to expect an organization to perform a full-scale risk assessment more than once a year \u2014 in fact, some already struggle to do that on an annual basis \u2014 but organizations should be prepared to update these documents as new laws come into effect or regulatory requirements get tweaked or as new threats emerge.Pescatore advises CISOs to have a process in place, perhaps an information security policy committee review process, to determine whether changing circumstances necessitate updates to the information security policy or any of the supporting guidelines, processes, procedures or standards.