It represents the organization’s intent, direction, and commitment toward protecting its assets.
Information security policy can be defined as an aggregate of directives, regulations, rules, and practices that prescribe how an organization manages, protects, and distributes information.
Maintaining security is essential for ongoing business operations. Without proper security controls in place, organizations may face disruptions, financial loss, reputational damage, and failure to meet business objectives.
Security policies are approved by senior management, which demonstrates leadership commitment and establishes a long-term security strategy.
Why Security Policy is Important
Security policies play a critical role in ensuring consistency, compliance, and control across the organization.
Key reasons include:
- Provide clear guidance on acceptable and expected behavior
- Prevent unpredictable actions by users
- Ensure alignment with laws, regulations, and industry standards
- Support business continuity and risk management
- Serve as a foundation for security controls and procedures
- Act as a compliance requirement in many industries
Without policies, individuals may make their own decisions about security practices, leading to inconsistent and potentially insecure outcomes.
Policy Hierarchy and Structure
Security documentation follows a hierarchical structure, where high-level policies guide lower-level documents.
+-----------------------------+
| Security Policy |
| (Strategic - Long Term) |
+-------------+---------------+
|
v
+-----------------------------+
| Standards |
| (Tactical - Mid Term) |
+-------------+---------------+
|
v
+-----------------------------+
| Procedures (SOP) |
| (Operational - Short Term)|
+-----------------------------+
Explanation:
- Policies
- High-level, strategic documents
- Long-term (3+ years)
- Define “what” and “why”
- Standards
- Mandatory technical rules
- Mid-term (~1 year)
- Define “what exactly must be used”
- Procedures (SOPs)
- Step-by-step instructions
- Short-term and frequently updated
- Define “how to do it”
Relationship Between Policy, Standards, and Procedures
A change in higher-level policies can trigger updates in standards and procedures.
Policy Change
|
v
Update Standards
|
v
Update Procedures
Example:
- Policy (Strategic):
- The organization must protect its network using a firewall.
- Standard (Tactical):
- The firewall must be a specific approved model or vendor.
- Procedure (Operational):
- Steps to configure firewall rules, ports, and monitoring.
The policy remains stable over time, while standards and procedures evolve with technology changes.
Standards
Standards are mandatory activities, actions, or rules designed to support and enforce policies.
They can be:
- Internally developed within the organization
- Published by recognized bodies such as ISO/IEC or IEEE
Characteristics of standards:
- Technical and specific
- Mandatory to follow
- Define approved technologies and configurations
Example:
- Policy:
- Financial data must be securely stored.
- Standard:
- Financial data must be encrypted using AES-128 at rest and in transit.
This ensures that the broad policy is translated into a clear technical requirement.
Procedures (Standard Operating Procedures - SOP)
Procedures are detailed, step-by-step instructions describing how to implement a control or mechanism.
A procedure (also known as a Standard Operating Procedure - SOP) provides detailed, step-by-step instructions for implementing a specific security control.
A procedure may define the exact steps required to install and configure a firewall. Procedures are low-level, highly specific, and represent the most detailed type of security documentation. Like policies and standards, procedures are mandatory and must be followed precisely.
They are:
- Highly detailed and practical
- Focused on execution
- Frequently updated
Example:
Procedure: Encrypt Financial Documents
- Identify the document to be stored
- Apply AES-128 encryption using approved software
- Store the encrypted file in the secure repository
- Verify encryption status
- Log the action for audit purposes
Guidelines
Guidelines provide recommended practices on how to implement standards and baselines. Unlike policies, standards, and procedures, guidelines are not mandatory.
They act as advisory documents that help security professionals and users make informed decisions.
Typical characteristics of guidelines:
- Flexible and non-enforceable
- Provide best practices and recommendations
- Often include words such as:
- can
- may
- should
Guidelines are especially useful in situations where strict rules are not practical, allowing for adaptability while still promoting secure behavior.
Summary of Security Documents
The relationship between different types of documents can be summarized as follows:
| Document | Purpose |
|---|---|
| Policy | Why something must be done |
| Standard | What must be done |
| Procedure | How it must be done |
| Guideline | Recommended way to do it |
Or in a flow view:
WHY -> Policy
WHAT -> Standard
HOW -> Procedure
HELP -> Guideline
Acceptable Use Policy (AUP)
An Acceptable Use Policy (AUP), also known as a fair use policy, defines what activities are allowed and prohibited when using organizational resources.
It establishes clear expectations for employees regarding the use of:
- Computers
- Networks
- Systems
- Internet access
Improper use of company resources can expose the organization to significant risks, including:
- Malware infections (viruses, worms, spyware)
- Network compromise
- Data breaches
- Legal consequences
Employees must understand that violating the AUP may result in disciplinary actions, including termination of employment.
What Should an AUP Address?
An effective Acceptable Use Policy should explicitly prohibit:
- Introducing malicious software into systems:
- Viruses
- Worms
- Spyware
- Unauthorized disclosure of confidential information
- Sharing account credentials or allowing others to use your account
- Performing unauthorized security testing:
- Port scanning
- Vulnerability scanning without approval
- Sending unsolicited communications:
- Spam
- Junk mail
- Unauthorized advertising
- Attempting to bypass security controls:
- Firewalls
- Access restrictions
- Making unauthorized statements on behalf of the organization
- Any other actions that violate company policies
Acceptable Use Risk Model
User Action
|
v
+----------------------+
| Acceptable Behavior? |
+----------+-----------+
|
Yes | No
|
v
Allowed Usage Policy Violation
|
v
Disciplinary Action
Privacy Policy
A privacy policy is a formal statement that explains how an organization collects, stores, and uses personal information.
Organizations that collect personal data are often legally required to publish a privacy policy, especially under regulations such as GDPR.
The exact content depends on:
- Nature of the business
- Geographic location of the organization
- Location of users
- Applicable laws and regulations
Key Elements of a Privacy Policy
At a minimum, a privacy policy should clearly state:
- What information is collected:
- Personal data
- Sensitive data
- How the information is collected:
- Forms
- Cookies
- Tracking technologies
- How the information is used:
- Service delivery
- Marketing
- Analytics
- Whether the data is shared:
- Third parties
- Partners
- Legal authorities
Privacy Data Flow
User Data
|
v
+------------------+
| Data Collection |
+------------------+
|
v
+------------------+
| Data Storage |
+------------------+
|
v
+------------------+
| Data Usage |
+------------------+
|
v
+------------------+
| Data Sharing |
+------------------+
Key Takeaways
- Procedures are detailed, mandatory instructions for implementation
- Guidelines are optional recommendations for best practices
- Policy = why, Standard = what, Procedure = how, Guideline = advice
- Acceptable Use Policy defines allowed and prohibited user behavior
- Privacy Policy ensures transparency in handling personal data
- Violations of policies can lead to serious organizational and legal consequences