Implementing Information Security Policy the right way!

You can choose to keep the security policies of your organization in a shelf as diaries or implement them widely in the company.

A security policy is a written document in an organization outlining how to protect the organization from threats, including computer security threats, and how to handle situations when they do occur.

A security policy must identify all of a company’s assets as well as all the potential threats to those assets. Company employees need to be kept updated on the company’s security policies. The policies themselves should be updated regularly as well.

The executive management should approve the Security policy, the security policy should be circulated to everyone in the company, and the process of safeguarding data needs to be reviewed regularly and updated as new people come on board.

The following are recommended steps to adopt a security policy lifecycle and to guarantee better implementation of the policies:

Proposed Implementation Steps:

· Prepare the policies that should include all assets and addresses all potential risks. Many templates available online could be used as a reference. Based on legal, international, national and/or regulatory requirements the policy contents should be prepared.

· The top management review and approve the policies. To obtain authorization on applying and forcing the policy items and its disciplinary actions. The legal representative of the organization could prepare the disciplinary actions.

· Arrange a company-wide announcement about the policies to reach all employees. This could be use by an email announcement to all employees in the company.

· Employees should read the policy contents and acknowledge the company that they are aware of the policy contents and its disciplinary actions.

· It is preferred that the policies published within intranet portal and the employee has the ability to read the content easily and clicks on agree button on each policy or at the end which indicates the employee agreed on the contents. In this case, the policies became mandatory and any employee refuses to agree on the contents will face disciplinary actions and might escalate the punishment to contract termination. The policy portal could be an interactive pages or web-based pages with next and previous buttons and descriptive pictures.

· Policies should be updated at least once a year, and gathering updates about new risks should be at least twice a year. This could be done by establishing an internal committee that is responsible for policies, each three or six months the committee arrange a comprehensive meeting collecting all possible new risks based on new services or products will be launched. In addition, based on that the committee collect possible updates for the policies.

· The updates includes remove, add or edit items and categories of policy contents.

· Awareness sessions about the policies to employees should be conducted within a security awareness campaign or as an event related to the security policy.

· At the beginning of each year, an announcement on the updates should be made.

· New employees during the employment process should read and acknowledge the policies.

How to detect INFOSEC policy violations and WHY? Let us talk about this in another article.