Oftentimes a company’s information security policy is an overarching document that includes multiple sub-sections. A company’s IT infrastructure, their needs, goals, and level of risk (i.e. if they process a lot of sensitive data on daily basis), are all factors that shape an information security policy. Though it may seem a little daunting to create an information security policy with so many different levels, it is best practice for protecting the organization.
Here is a brief overview of some of the main components of an information security policy. Please note that these are presented “in general” and may vary by organization:
General or Overall Security
The section of an information security policy covering general or overall security may include parts such as an email policy, password construction guidelines, an acceptable use policy, and even a disaster recovery plan policy. This part of the policy covers high-level security and access. It may outline specific web browsers to use on workstations for increased security, email transmission and encryption policies, and guidelines on how to create strong passwords (i.e. requiring a combination of letters, numbers, and symbols – including capitals).
Network Security
It is easy to think that a company’s network security should be fairly straightforward in that it covers workstations and laptops that connect to the company network. However, there are many points of contact to the network that can easily be overlooked. This section may include policies on accessing the network remotely (off-site access such as establishing a VPN), router and network switch security standards to be implemented across an organization, and wireless connectivity protocols for Bluetooth and personal devices.
Often employees will connect their personal phones to a company network in order to save on their data plans while in the office. This part of the information security policy covers protocols and guidelines to follow to ensure employees are accessing the network securely via their mobile devices.
Server Security
The Server Security section of a security policy addresses baseline or minimal standards for securely configuring an organization’s servers. It may outline levels of employment required to have access to company servers or how to develop and store credentials so employees can access the server when needed. Any compliance regulations (such as HIPAA) that are specific to a company’s server and server activity will also be outlined in this section.
Application Security
With more companies building custom applications in house and more employees learning how to code, it is very important that an organization have an Application Security section of their information security policy. Any custom-built application (either run natively on a server or workstation or as a web application) will have to follow rules and guidelines to adhere to a company’s security standards. This section will outline items such as standard encryption protocols for applications, credential creation and storage for application use, and guidelines for running regular application security assessments.
If you are looking for some one-on-one guidance in developing your own, custom information security policy, Roan Solutions is here to help. Contact us today to get started!