If your company is handling data, it is important (and you may be required by law) to have a good a company facing Information Security Policy in place. The Information Security Policy is comprehensive document that outlines how your company handles information security internally – and your entire workforce should have access to, and be trained on it.
This article will highlight 8 important sections of your Information Security Policy and what they mean.
1. Establish a Foundation of the Policy
First and foremost, your information security policy should establish that information security is a core function of your company, and set expectations to your workforce as to how important it really is. Further, this section should outline any local policies that must be followed, and compliance requirements (such as GDPR, CCPA, HIPAA, SOC 2, etc.) that your company is to adhere to.
2. Establish Responsibilities
This section is to identify who in your organization is in charge of the information security policy, how to get in touch with them, and establish an enforcement policy as to how to report wrongdoing, and what happens if the policy is violated. This policy should require your workforce to read, acknowledge, understand, and comply with the policies.
3. Classify Data
This section should classify the type of data collected, categorize the data based on risk, and assign a protection level to the data. For example, public information may be assigned a lower risk factor, but confidential and sensitive information (such as personally identifiable information) should be placed as a higher risk factor and require stronger protection at every level.
4. Establish Roles, Access Controls, and Acceptable Use
This section has several important functions. First, it must establish that your workforce is granted access to data based on their role within the organization. Second, this should set security standards, such as authentication (username, passwords, and tokens), password standards, etc. Third, this should include specific guidance on how workforce members can use and interact with the organizations data and information – such as using reasonable safeguards, not attempting to deactivate controls, and not engaging in prohibited criminal activities.
5. Establish How You Protect and Manage the IT Environment
This section should define how your company is going about protecting your data – including assigning authority to monitor, and establishing measures to ensure the protection of your IT environments.
For technology companies, this is especially important – because your IT assets are directly related to your product. Establish what preventive controls, user authentication standards, end user device controls, logging, encryption, and other data protection controls you have and make sure your workforce understands their importance.
6. Establish Incident Reporting and Response Standards
No one expects something to happen, but your company should always be prepared for an information security event – such as data breaches, hacking, unauthorized access, etc.
This section should first and foremost obligate your workforce to report an incident, provide ways to to report the incident, and assign responsibilities for communications with law enforcement, regulators, business partners, and affected individuals.
7. Your Vendors and Service Providers
Your vendors and service providers may have significant access to your data. Whether it is Amazon Web Services with your hosting, or Google with your email – it is important that you have a section outlining your vendor management – including how to track service providers, how to conduct due-diligence before engaging with a service provider, and ensuring that your contracts with vendors have the right provisions in place.
8. Your Risk Management and Compliance
Your company should be managing information security risks on an ongoing basis. This section should outline how, and how often you conduct risk assessments, audits, vulnerability assessments, penetration testing, training and overall health checks on your information security policies.
Let us Help
This post is just a high level overview of important sections your company information security policy should have. There are many more nuances and specifics around this, and other policies that you should understand if you plan on doing business online.
Kader Law can help you navigate and draft information security, and other policies. If you need legal assistance, feel free to contact us.
This post is not legal advice, and does not establish any attorney client privilege between Law Office of K.S. Kader, PLLC and you, the reader.