top of page

A guideline to set up an information security policy

The internet, a technology invented in the mid 1950’s, is doubtlessly the technology that had the most impact on all societies. It has changed our ways of communicating, the way we socialize, the way we do business and even the way we entertain ourselves.

Besides, the internet has also changed the way scammers and other bandits operate. They use various methods and sophisticated tools to trap their victims, but the common point is that they will seek for sensitive information for their end goal.

Therefore, Information Security has become a challenge for everyone, from the unknown individual to the big conglomerate. For the latter, it is even more challenging as the bigger the company is, the more it will be prone to attacks.

To protect against attacks and mitigate risks of leak of information, companies need to have a robust Information Security Policy. Below are some elements to consider while preparing an Information Security Policy.

1. The Purpose

An information Security Policy is a guideline on how to gather information, how to process information, how to stock them, how to protect them and how to destroy it.

However, each organization has its own way of operating and has its own mission. The degree of sensitivity of information is different and the use of information differ. This is why it is important to define the purpose of the Information Security Policy.

For example: it can be to maintain the reputation of the organization, and uphold ethical and legal responsibilities. Or it can be used to respect customer rights, including how to react to inquiries and complaints about non-compliance.

2. The Audience

It is important to define the audience to whom the information security policy applies. For example, in large organisations, which have multitude units or departments, it might be tricky to apply the same policy for everyone.

For example, a team of sales persons will probably have access to information that a team of maintenance will not have and vice versa.

In such case, an Information Security Policy might specify which audiences are out of the scope of the policy or even have their own policy.

3. Responsibilities, rights, and duties of personnel

Appoint staff to carry out user access reviews, education, change management, incident management, implementation, and periodic updates of the security policy. Responsibilities should be clearly defined as part of the security policy.

4. The objectives

An information Security Policy must have well-defined objectives for strategy and security.

For example: Define who can/should have access data and information assets. Set up how data should be intact, accurate and complete, and IT systems must be kept operational, Make sure that users are able to access information or systems when needed

The 4 points mentioned above forms part of the 8 elements to consider when drafting an information security policy. The others are; Authority and access control policy, Data classification, Data support and operations, Security awareness and behavior.

At Ascentrix Consulting, we can help you set up your Information Security Policy, in compliance with the Data Protection regulation applicable in your country. Should you like to have help on the matter, please contact us.

Otherwise, if you want to know more about Information Security, you can read more bout the 3 principles of Information Security by clicking on the link below.


bottom of page