Information security policy (ISP) is a set of rules, policies and procedures designed to ensure all end users and networks within an organization meet minimum IT security and data protection security requirements
Aims to enact protections and limit the distribution of data to only those with authorized access
Sensitive data, personally identifiable information (PII), and intellectual property must be protected to a higher standard than other data
Need
Control Security Risk
Identify Theft
System Fraud
System Misuse Detection
Purpose
Preserve your organization's information security, organization's reputation
Detect and preempt information security breaches caused by third-party vendors, misuse of networks, data, applications, computer systems and mobile devices
Uphold ethical, legal and regulatory requirements
Protect customer data and respond to inquiries and complaints about non-compliance of security requirements and data protection
Audience
Define who the information security policy applies to and who it does not apply to
You may be tempted to say that third-party vendors are not included as part of your information security policy
Types
Regulatory
Standards that must be followed
Advisory
Dos and Don'ts
User Policies
How user should adapt in the organization
Data Classification
Level 1
Public information
Level 2
Information your organization has chosen to keep confidential but disclosure would not cause material harm
Level 3
Information has a risk of material harm to individuals or your organization if disclosed
Level 4
Information has a high risk of causing serious harm to individuals or your organization if disclosed
Level 5
Information will cause severe harm to individuals or your organization if disclosed
Data Support and Operations
Data Protection Regulations
Organizations that store personally identifiable information (PII) or sensitive data must be protected according to organizational standards, best practices, industry compliance standards and regulation
Data Backup Requirements
Outlines how data is backed up, what level of encryption is used and what third-party service providers are used
Movement of Data
Outlines how data is communicated
Data that is deemed classified in the above data classification should be securely communicated with encryption and not transmitted across public networks to avoid man-in-the-middle attacks
Security Awareness Training
Social engineering
Teach your employees about phishing, spear-phishing and other common social engineering cyber attacks
Clean desk policy
Laptops should be taken home and documents shouldn't be left on desks at the end of the work day
Acceptable usage
What can employees use their work devices and Internet for and what is restricted?