Security policies#

Security policy defines what you want to protect. Good policies often identify:

  • procedures

  • guidelines and

  • safeguards for configuring and managing security in the organization’s environment.

Security policies define the organization’s philosophy and requirements for securing information systems and related assets. They outline how controls apply to staff, processes, and environments. Often also consequences for failed compliance with the policies are also addressed.

Security policies provide many benefits to organizations:

  • Security vulnerabilities are identified and properly treated. This ensures security related risks are aligned with the organization’s level of risk tolerance.

  • A consistent approach to security reduces the likelihood and impact of a security breach.

  • Efficiencies are achieved when information is safely shared within the organization, as well as with customers, partners, and vendors.

  • Heightened security awareness increases the likelihood of compliance with the security policies.

Security policies are a soft form of protection. Having security policies is no tangible protection. But since human factors and awareness is very important in managing security risks, not having security policies is no option.

Creating your own security policies from scratch should always be avoided. Use and reuse good existing security policies. This:

  • Saves time.

  • Improves quality. Reusing means use and improve the policies if needed.

The real work and challenge is the implementation of procedures within an organisation. So how to implement good security policies in the ‘DNA’ of an organisation? This is the real challenge and is always dependent on a specific context, culture and organisation structure.

Below are some example information security policies that help you develop your own.