S 2.192 Drawing up a policy for information security

Initiation responsibility: Top Management

Implementation responsibility: Top Management, IT Security Officer

The guiding statements of the security strategy should be summarised in a policy for information security so that all employees have documentation of the security objectives to be pursued and the security level to be obtained. The security policy can be considered visible confirmation of top management's responsibility for information security.

The following points must be taken into account when drawing up the policy for information security:

Responsibility of top management

It is important for top management to be fully behind the policy for information security as well as behind the goals stated in the policy. For this reason, the security policy must be signed by top management and published in its name. Even when individual tasks are delegated to persons or organisational units in the framework of the security process, the overall responsibility for information security still remains with top management.

Specification of the scope

The information security policy must state which areas it applies to. The scope may include the whole organisation or just parts of the organisation. It is important, though, for the scope to include all specialised tasks and business processes examined.

Specification of the security objectives

At the beginning of the security process, top management must define, agree on, and document the security objectives. The security objectives can be derived from the business processes and specialised tasks, legal framework, and general objectives of the government agency or company. The security objectives serve as the foundation for the creation of the information security policy.

Content of the security policy

The policy for information security should be formulated clearly and concisely because experience has shown that policy papers containing more than 20 pages will not be successful in actual practice. The policy should contain the following aspects at a minimum, though:

• The value of information security and the importance of the essential information, business processes, and IT systems to the organisation must be presented in the policy.
• The security objectives and how the security objectives are related to the business goals and tasks of the organisation also need to be explained.
• The core elements of the security strategy should be stated.
• The management must demonstrate to all employees that they support the security policy and will enforce it. At the same time, the policy must contain guiding statements on how to check its success.
• The organisational structure established for the implementation of the security process must be described (see S 2.193 Establishment of a suitable organisational structure for information security).

Releasing the policy for information security

Experience has shown that security safeguards and organisational regulations will only be complied with by the employees when they are able to recognise their purpose. For this reason, the security policy must be published in order to document the strategy of the people in management who are responsible for it. This should be documented so that the value of information security is clear to all. It is important for all employees to be familiar with and understand the contents of the security policy. New employees should be informed of the policy for information security before they are allowed to access business-related information. Having all employees confirm in writing that they are familiar with the security policy will underscore the importance of the policy. In general, the policy for information security should be stated generally enough so that all employees from the various organisational units of the organisation are aware of its relevance. However, it is also possible to add sections to the security policy that are confidential or are only relevant to a limited number of people in order to cover special applications or areas in an organisation. It is recommended to move these sections of the policy to an appendix to enable flexible and prompt reactions to any changes necessary without having to adapt the general part of the policy. If necessary, the appendix can be marked as confidential and given special protection.

Updating the security policy

The policy for information security should be checked and updated if necessary at regular intervals. The policy should be updated to reflect changes in the general conditions, business goals, tasks, or security strategy. Due to rapid developments in the field of IT and in the field of security, it is recommended to revise the security policy every two years.

Review questions:

• Is a policy for information security available that has been approved by management?
• Is the scope of the security policy clearly defined?
• Does the security policy describe the value of information security, the security objectives, the core elements of the security strategy, and the organisational structure for information security?
• Have all employees been informed of the policy for information security?
• Is the security policy up to date?