In 2020, security breaches cost businesses an average of $3.86 million, but the cost of individual incidents varied significantly. The main factor in the cost variance was cybersecurity policies and how well they were implemented. Cost mitigating factors include security best practices such as encryption and vulnerability testing, but board involvement in creating and enforcing security policies also had a substantial impact.
Organizational security starts at the top, with clearly defined information security policies that influence how the organization as a whole prioritizes security, implements security best practices, and responds to threats.
What is an Information Security Policy?
Information security policies are high-level documents that outline an organization’s stance on security issues. They are typically supported by senior executives and are intended to provide a security framework that guides managers and employees throughout the organization.
Information security policies rarely mandate specific security technologies and approaches, but they do define the organization’s goals, requirements, and responsibilities concerning information security.
For example, a security policy might mandate that data on company-owned laptops is encrypted, that employees must not share data using unencrypted services, and that team leaders are responsible for ensuring people under their supervision follow these encryption best practices. However, high-level policies do not usually explain which encryption algorithms should be used or how encryption should be implemented.
Learn more about why security policies matter in Auditor Insights: Policies and Procedures Are Better Than Gold.
What Are The Types of Cybersecurity Policy?
Security policies can be categorized according to various criteria. One method is to categorize policies by scope:
- An organizational security policy describes the whole organization’s security objectives and its commitment to information security. It can be thought of as the primary document from which other security policies are derived. Also, it often informs the organization’s compliance goals.
- System-specific security policies focus on the information security policies of particular systems. For example, policies for customer-facing applications, payroll systems, or data archive systems. They typically articulate security objectives and the operational security rules intended to support them.
- Issue-specific security policies provide guidelines for particular threats or categories of threats. An organization may create a security policy that focuses on phishing attacks or general email security, for example.
The organizational security policy is often the broadest and most abstract, with objective and rule specificity increasing as the policy addresses increasingly low-level issues.
Which Information Security Issues Should Cybersecurity Policies Address?
If your organization lacks an information security policy for some area of concern, then security in that area is likely to be disorganized, fragmented, and ineffective.
The issues that security policies should address differ between organizations, but some of the most important include:
- Physical security: How is security handled at data centers, server rooms, and at end-points within the company’s offices and elsewhere? Physical security policies address a wide range of objectives, including access management, monitoring, and identification of secure areas.
- Data retention: Which data does the company collect and process? Where, how, and for how long should it be stored? Data retention policies impact a number of areas, including security, privacy, and compliance.
- Data encryption: How does the organization handle the secure storage and transmission of data? In addition to encryption objectives, data encryption policies may also discuss objectives and rules around key management and authentication.
- Access control: Who can access sensitive data, and what systems should be in place to ensure that sensitive data is identified and protected from unauthorized access?
- Security training: Security relies as much on people as it does technology and systems. Human error contributes to many security breaches that could have been avoided if employees and executives received sufficient training.
- Risk management: Information security risk management policies focus on risk assessment methodologies, the organization’s tolerance for risk in various systems, and who is responsible for managing risk.
- Business continuity: How will your organization react during a security incident that threatens critical business processes and assets? Security and business continuity interact in several ways: security threats can quickly become threats to business continuity, and the processes and infrastructure businesses use to maintain continuity must be designed with security in mind.
We’ve covered just a few of the security policies relevant to organizations in many different industries. Each organization is different. The type and content of policies should be tailored to your business’s unique circumstances, and they should evolve as those circumstances change. You can learn more about how to write effective security policies in our Style Guide to Creating Good Policies.