Skip to main content

Understanding Information Security Policies

Information security policy is defined in NIST SP 800-12 Rev 1. as “an aggregate of directives, regulations, rules, and practices that prescribes how an organization manages, protects, and distributes information. In making these decisions, managers face difficult decisions with regard to resource allocation, competing objectives, and organizational strategy, all of which relate to protecting technical and information resources as well as guiding employee behavior. Managers at all levels make choices that can affect policy, with the scope of the policy’s applicability varying according to the scope of the manager’s authority.

Top management plays a crucial role in the establishment of effective information security policies. As indicated in ISO 27001, top management must establish an information security policy that:

Top management shall establish an information security policy that:

  1. Is appropriate to the purpose of the organization;
  2. Includes information security objectives or provides the framework for setting information security objectives;
  3. Includes a commitment to satisfy applicable requirements related to information security;
  4. Includes a commitment to continual improvement of the information security management system.

Because policy is written at a broad level, organizations also develop standards, guidelines, and procedures that offer users, managers, system administrators, and others a clearer approach to implementing policy and meeting organizational goals. Standards and guidelines specify technologies and methodologies to be used to secure systems. Procedures are yet more detailed steps to be followed to accomplish security-related tasks. Standards, guidelines, and procedures may be promulgated throughout an organization via handbooks, regulations, or manuals.

CSFaaS helps you to handle Policies and Standards.

Managerial decisions on information security issues vary greatly. To differentiate various kinds of policy, they can be categorized into three basic types:

  • Program Policy,
  • Issue-specific Policy,
  • System-specific Policy.

(Source: NIST SP 800-12)