What is a Security Policy?

When you start a business, the thought of security policies is placed way down the priority list, if even given a second thought. Usually, security policies come to light when the business starts towards some sort of standardised security framework, such as ISO 27001, Cyber Essentials or IASME Cyber Assurance to name a few.

So, what is a security policy? Why does it matter? Why should your business adopt them? And how does it benefit your business in the long run?

These are all questions, but, before we can answer them, we first need to understand why having policies in place can benefit your business, and how the use of security policies can work alongside your other policies.

Why are policies important?

Policies within the workplace are important, they help to establish a standardisation within the workplace. By implementing policies throughout the workplace, you as a business, can help to provide a guidance, accountability, clarity as well as how the business expects you and others to work.

By having policies defined, members of staff have an understand of what is required of them, and how the business expects everyone to behave.  It allows everyone to work and interact with clarity.

But not having these policies in place, if there was for example, a workplace incident, without any defined in place policies, both the staff and the business would not have a set of procedures and guidelines to work by. This could in theory, at times work to the advantage of a member of staff, however if the same incident happened again, there would be nothing in writing to say that the past resolution was correct.

By having written down and communicated policies, everyone knows what to do and what is expected of them and more importantly there is accountability.

What is a security policy?

Now that we know what policies are and why they are important, what is a security policy? A security policy in all aspects is a documented set of controls and statements. It defines how the business is going to achieve a stance of being secure. More importantly it defines the Confidentially, Integrity and Availability (CIA triad) of business systems.

The policy will usually address the following areas as a standard, but can include more information and sections depending upon the nature of the business:

• Purpose of the policy document
• Aims and objectives of the policy
• Responsibilities
• Risk assessment
• Classification of information
• Protection of computer systems and assets
• Intellectual Property Rights
• Legal Requirements
• Transfer of information

By defining a security policy, you are defining a living ever evolving standard of rules within the business. The policy will help to inform your staff on how they should be protecting the information of not only the business, but the information that you process.

The security policy can be split out into many different policies, if the business is large enough, for example the security policy may make references to Physical security policies, for use with servers, workstations, laptops and so forth. It may also refer to information security policies, which will be used for defining the security of information assets, such as the digital or paper-based assets within the business.

Why does a business need them?

We’ve briefly touched on the why, but when you dig into the reasoning behind having a security policy in place there’s no real negatives or reasons why you shouldn’t look at implementing them.  You may need them for ensuring compliance with industry regulations and standards. Depending upon the nature of your business you may have to comply with standards, such as the Payment Card Industry (PCI) Data Security Standard.

Or contractual agreements may require that you adhere to standards such as Cyber Essentials or ISO 27001 which would be a good time to start looking into using these policies, if not already implemented.

Why should you use them?

By having a structured security policy framework in place, the business can protect itself as well as the information being processed and stored. If there is ever an incident, you can fall back on the policies which are defined, allowing members of staff, of any level, to understand the processes and systems which are in place to protect data.

With references to other policies, the framework will evolve into a living document system which will be constantly reviewed and updated.

I hope this article is helpful and if you haven’t already, you look at creating your policy framework to further protect your business. If you don’t know where to start, performing a quick Google search for “Security Policy template” will give you quite a few examples of what to start with. You can then tailor it to your business and work on it over the course of days, weeks, months.