Policies play an important role in defining an organisation. They help define the culture, values, rules and expectations of the business, which is why it is essential that they are written with care and updated regularly. Effective policy management is necessary to ensure that your organisation isn't held back by out of date and inaccessible policies that will simply get forgotten about by users.
Having the right policies is of extra importance when it comes to information security. Improper use of company systems and devices can prove costly to an organisation, whether due to malware infection, data breach or damage to the company reputation. Cyber security policies will help reduce the chances of an incident happening and mitigate the damages when an incident does occur - but only if the right policies are in place.
In addition to having policies on the necessary topics - such as email use and password protection - it’s important that the policies are clear and accessible to your end users. This means ensuring that they’re free of jargon, as brief as possible while still containing all the necessary information, and easy to find for later reference.
In this article we will look at what information security policies your organisation needs, how to make sure they’re actually effective at improving security outcomes, and how to manage them to ensure continued compliance and effectiveness.
What makes for an effective policy?
Many organisations have security policies that consist mostly of technical jargon and legalese. A far too common view of security policies is that they exist to protect the organisation from litigation or to absolve it of responsibility in case of employee misbehaviour, but this perspective on policies will only be harmful to your organisation in the long run.
An effective policy is crystal clear on what is expected of employees, is free of jargon and legalese, and actually convinces employees to change behaviour accordingly. It is also important that employees understand why the policy exists, and what it is meant to achieve. If employees don’t understand the use of a policy, they will be far more tempted to overlook it - and if the policy is too complicated for them to bother reading through it, they will not even know what the policy states in the first place.
These are the three core requirements of an effective policy:
- The policy has to be readable and free of jargon
- The policy has to be kept up to date and relevant
- The policy has to fulfil any legal or compliance requirements.
uPolicy helps organisations view, update and send out their policies from one simplified online interface, saving you hours of admin time.
How to create an effective policy?
Creating a policy that works comes down to being clear about what you want the policy to achieve. You should ensure that there is a good reason for every part of the policy to be there, and that you can monitor and enforce anything you write down in the policy. Ambiguous language in the policy text should be avoided entirely - but it is fine to write of the aims and scope of the policy in general terms.
To write an effective policy, follow these steps:
- Set a clear objective for what you want the policy to achieve
- Clearly define who and what you want the policy to apply to
- Decide on the actual content of the policy
- Write down how you want to enforce the policy and penalise non-compliance.
What should be included in a policy?
Effective policies should resist from being too ‘policy-like’ in their language and format to keep readers engaged. A proper format, however, can help ensure that users know what information to find and where, and helps you make sure that you have written down all necessary information.
These are the five parts that you should include in a policy:
- Outline: the background information on the topics that the policy covers
- Purpose: why the policy has been written
- Scope: who the policy applies to
- Policy: what the policy actually includes
- Compliance: how compliance with the policy is tested and what repercussions can result from not complying with the policy.
In most cases, you will want to start off a policy with an outline of what the policy involves and any necessary background information. For example, in a work-from-home policy you will want to explain why a policy is necessary and what the risks are, whereas in a password policy a brief reminder of the risk caused by weak passwords is normally satisfactory.
The second part of a policy is the purpose - what the policy seeks to achieve. This does not mean the literal objectives in the policy text, but what actual outcome the company wishes to achieve with the policy. For example, the purpose of a password policy is not just to ensure users protect their accounts with strong passwords, but to enhance the security of the company, its systems and data, and to protect its customers and reputation.
You should be clear about who you want your policy apply to - whether it’s all your employees or a certain department, and whether you want to include temporary or contract workers for example. This will make it easier to know who to send the policy out later down the line. For information security policies scope also includes the devices or systems it covers - usually ones owned, leased or otherwise controlled by your business. It may also cover any devices or networks used by employees to perform the business of your company, such as any of their own devices they may use for this purpose.
This is the section where you will write what your policy actually involves. Be clear and unambiguous about what you want your employees to do. It’s important that everything you set out in the policy can be monitored and enforced, as otherwise it will set a bad precedent for compliance.
A policy only really exists if it is enforced, so in this final section you will need to set out the guidelines for enforcing the policy. You should state how compliance will be monitored - whether it’s through random tests, weekly checks or otherwise - and what non-compliance will lead to. Usually you will mention that small violations will result in warnings, but that you reserve the right to use measures up to and including termination in case of serious policy breaches.
List of information security policies
These are some of the most common cyber security policies:
Acceptable Use Policy
An Acceptable Use Policy sets rules on the use of a computer system. Any organisation where employees use the company’s devices or access the company’s network should have one - essentially every company.
The Acceptable Use Policy should clearly state what acceptable use of company devices and networks includes (anything required for job duties, and usually limited personal use) and what prohibited use includes (violent, offensive and illegal content, as well as anything that could damage the company, its customers or other employees).
An Anti-Malware Policy seeks to protect a computer system from malware by setting out rules and guidance on its use. This usually includes things like ensuring that anti-virus is up to date, and not downloading attachments from unexpected emails. Downloading and installing operating system and software updates is also commonly included in Anti-Malware policies - even though these may be tasks normally performed by the IT Department, it is important to keep users actively engaged in security issues to ensure the continued security of the business.
Clean Desk Policy
Papers and removable devices left on desks don’t only make an office appear more cluttered, but also result in a higher risk of data breach. A guest or unauthorised person can easily view or take any sensitive documents that have been left lying about. A Clean Desk Policy seeks to eliminate this risk by requiring employees to clear out their desks at the end of each workday.
Email is the main form of communication in most companies, but it is essential that improper use of email does not expose your company’s data or damage its reputation. An email policy sets out rules and guidelines on the use of company email accounts and addresses.
While internet use has become a norm in almost any role in many companies, it is still important to reduce the risk of inappropriate use of the internet from damaging your company. Internet security policies set out rules on the use of the internet by employees, stating the acceptable and prohibited uses of the internet at the business, and ensuring that users take the appropriate precautions to protect themselves and their devices when online.
One of the most common causes of breaches is the insecure use of passwords. It is essential that employees understand the importance of using secure passwords - and that your business has a way to enforce non-compliance. A Password Policy sets out the standards for secure passwords, how passwords can be stored and shared, and what the ramifications are for employees who fail to comply.
Removable Media Policy
Removable devices such as USB drives can cause data breaches or infection of company computers by malware. A Removable Media Policy aims to reduce this risk by establishing rules on the use of removable devices - for example by declaring that USB devices that have been unaccounted for or found around the workplace may not be inserted into company computers (they could have been left behind by cyber criminals and contain malware).
Security Response Plan Policy
Sooner or later, almost every organisation will face a security incident. It is important that you have a plan in place to mitigate damage caused as soon as the incident is discovered, and that roles and responsibilities in case of breaches are clearly communicated. A Security Response Plan Policy sets out guidelines on how these preparations ought to be carried out, and what the procedures are when an incident takes place.
What is a policy management system?
A policy management system allows your organisation’s policies to be managed from a single place. This makes editing, sending out and keeping track of all the policies and procedures of your business much simpler and reduces the time spent on administration.
There is a variety of policy management software available, but common features include:
- A single library containing all your organisation's policies in one place
- Policy writing tools to allow you to easily write new policies and edit existing ones
- Tools to send out policies to your users, whether to everyone in your organisation, specific departments or single users
- Simplified tracking of signatures, allowing you to see who's signed a policy and who hasn't without having to go through a folder of printed policy papers
- A library of templates to save time when deploying new policies
uPolicy is a policy management tool integrated directly into the usecure platform, allowing you to easily manage policies for your organisation and access a library of information security policy templates.