As I have mentioned in many blogs, maintaining a good layer of security comes down to two things:

  • Implementing the right Security technologies that your particular business or corporation needs (note, that this does not mean that you have to invest in the latest and the greatest – you just need to have what works for you, even if the equipment is 5 years old. Even old equipment can work well, as long as you maintain it with the right patches and firmware upgrades).
  • Human Vigilance: Again, this goes back to the old mantra that it is human beings, especially employees, that are the weakest link in the Security chain.  People continuously need to be trained, and reminded of what is important out there to keep their eyes on.

But apart from even these key concepts, an organization also needs to have a proper Security Policy in place as well.  This sets up the framework of key goals and objectives, as well as the penalties for non compliance.  Keep in mind though, there is no cookie cutter approach in creating a Security Policy; in other words, there is no such thing as a one size fits all template.

Nor, should you take this approach, as it could spell nothing but disaster for your organization in the end.  Your Security Policy is your own brand, reflecting what is important to you.  In a way, it is even like your own slogan or logo that you use for your marketing purposes, or even your trademark.

In this blog, we review what a Security Policy is, and the general components of it.  But keep in mind once again, it is not specific to your business.  You should always consult with a Cyber security consultant first.

The Definition of a Security Policy

Sure, everybody has heard of the term Security Policy, but what exactly is it?  It can be defined as follows:

“An IT Security Policy identifies the rules and the procedures for all individuals accessing and using an organization’s IT assets and resources.”


It may sound easy at first, but it is actually quite a difficult task to accomplish to create a Security Policy.  Not only do you have to provide the high-level overview of what you want accomplished when it comes to securing your business, but you also have to come up with all of the granular details to support it.

The Levels of a Security Policy

There are two basic levels of a Security Policy, which are:

  • The Program Level:

This represents your view (and other members of the senior management team) on the security objectives that must be met.

  • The System Level:

These are the rules that govern the proper and safe usage of specific systems in your IT infrastructure.

The Components of a Security Policy

A general framework of what should be included in a Security Policy can be described as follows:

1) It must have a clear and distinct purpose by addressing key Security issues. Some examples of these include the following:

*What are acceptable recovery times in the face of a Cyber-attack;

*How much financial tolerance does your business have in the face of any downtime;

*What kind of regulatory issues your business must comply with;

*The overall management of the Confidentiality, Integrity, and Availability (also known as the “CIA Triad”) of information and data assets.

2) The scope must be clearly defined.  This serves as a guidance tool as to whom and what is covered by your Security Policy.  Typical examples of this include:

*Any separate lines or divisions that may exist in your business;

*Your employees;

*The various technologies that make up your IT infrastructure;

*The processes that you have in place for the production and distribution of your  products and services.

3) Responsibilities:

This part of your Security Policy details whom in your business is responsible for the actual implementation and management of the rules which have been set forth. For example, the department heads could very well be assigned this task.

4) Compliance:

This is the section where you spell out the enforcement of your Security Policy, and the  penalties that are invoked for not following it.  But in order to convey this to your employees and to make sure that they understand the ramifications, this needs to be an integral part of your security training program, as mentioned at the beginning of this blog.

Key Takeaways

A good Security Policy for your business will always:

  • Form the backbone for the standards, guidelines, and procedures that must be followed.
  • Help to educate your employees, contractors, and third-party vendors about the right set of activities and behaviors that must be observed to ensure that regulatory compliance is being followed.
  • Make clear to everybody your expectations in how to protect the assets of the IT infrastructure.
  • Be flexible to keep up with the changes in the Cyber threat landscape.

Finally, it is important to keep in mind that a good Security Policy will evolve over time.  For example, what is written today could very well change one year from now.  It is also wise to have an advisory board composed of people whom you trust to review your Security Policy on at least a semiannual basis.  This will help to make sure that it is kept up to date and most importantly, that it is being followed by your employees.