Analecta Cyber Company Blog: Establishing Your Company’s INFOSEC Policy


Establishing Your Company’s INFOSEC Policy

Information security keyboard graphic - establishing compay's infosec policy - Analecta LLC Establishing your company's InfoSec Policy - Analecta LLC Graphic bannerPreviously, we discussed ways to put Information Security, or INFOSEC, on everyone’s mind through entertaining but informative training. The creation of a security policy goes one step further by letting management and employees know what is expected and what actions are best in the interest of the business.

With the first time creation of an INFOSEC policy, it may feel a bit daunting. Have no fear. We are here to talk through the highlights, must-haves and how to begin. Here are the big takeaways:

  • Ensure everyone - including management, employees and security teams - is on the same page when it comes to information security.
  • Create a company-specific comprehensive security policy. 
  • Depending on your line of work, items contained in the policy may be mandatory based on state or local regulations. 
  • Draft your INFOSEC policy in clear, concise and easily understandable language so employees are able to follow and interpret it. 
  • Avoid just having a set of theoretical statements, legal jargon or technical acronyms. 
  • Update the policy regularly.
  • Keep it practical and reflect real-world experiences common to your company’s inner workings.


There are three main avenues to creating an INFOSEC policy:
  1. Write your own policy
  2. Hire an expert to write the policy on behalf of the company
  3. Download ready-made policy templates
Regardless of the method you use, it is important to customize the policy to fit your industry and business requirements. Most industries must account for specific data handling laws within the INFOSEC policy, and failing to address these could land the business in legal or regulatory trouble. If you do decide to write your own policy or use a template, it is recommended to have an outside expert take a look at it to ensure it covers the legal items appropriately.

NIST guidance

One method for writing a comprehensive information security policy would be to use the NIST Cybersecurity Framework as the document outline and Special Publication 800-53 recommended security controls. Both documents are incredibly detailed and cover all the major components of an INFOSEC policy. This level of detail would likely be more beneficial for medium and large-scale businesses or, in the case of small business, those that work directly with government agencies.

If you need a more nimble policy, take the major components from NIST guidance and tailor those sections to your company’s needs. NIST guidance spells out a collection of control baselines organized by potential impact to the company: low-impact, moderate-impact, and high-impact. These baselines are essentially formatted like an INFOSEC policy and only require your customization to fit them to your organization.

Information security keyboard graphic - establishing compay's infosec policy - Analecta LLC

Major components

Whether you are writing your own policy or customizing an INFOSEC policy template, check for these common but important components within your policy:
  • Purpose: The policies document purpose is to establish a general approach to information security. It should also detect and prevent the compromise of information security and protect the reputation of the company with regard to its regulatory and/or legal responsibilities.
  • Scope: Write your policy to cover all data, applications, systems, facilities and users across your entire organization. Do not forget to cover third-party users that may need access to your systems.
  • INFOSEC Objectives: In this section, spell out your well-defined security objectives and how these objectives are measured for success.
  • Classification of Data: Do you have different types of data? Identify what those data types are and how they are identified. Some data types require additional protections due to industry regulations or laws.
  • Authority and Access Control Policy: Spell out who has access to different types of data. As data importance increases, ensure that those personnel that have permission to it have a bonafide business need to access or manipulate that data. Also, designate the personnel who have the authority to make specific decisions regarding data access.
  • Data Support and Operations: Identify how your data needs to be secured on your systems, giving specific attention to storage, backup and encryption.
  • Security Awareness and Training: Your employees are your first line of defense when it comes to protecting your data. Spell out how often your personnel need to conduct security refresher training.
  • Responsibilities, Rights and Duties of Personnel: Personnel that have been granted access to your systems need to be held accountable for their actions. Emphasize that INFOSEC is not just the responsibility of the IT or security teams.
  • References to Legal Requirements: If you are required to comply with industry or legal requirements, list the legislation or policies. If your organization processes Personally Identifiable Information (PII) or Health Insurance Portability and Accountability Act (HIPAA) data, include links to those laws.
  • Management Endorsement: Include the names and signatures of the senior management officials that approve and endorse the terms of the policy and put the signature page immediately after the title page. While this may be the very last thing you do when preparing the policy, you will want to make it one of the first things employees see when reading it.

Additional sections

What other things can you include? Think about adding the following information security considerations to your policy: 
  • acceptable use
  • network access
  • incident response
  • confidential data
  • outsourcing or external personnel access to data
  • email use
  • virtual private network
  • password requirements
  • encryption
  • physical security
  • data retention

Analecta is here to help!

We have you covered when it comes to policies and guidance! If you need assistance customizing an INFOSEC policy template or drafting a complete policy from scratch, contact us at or visit our Cybersecurity website. We’d be glad to walk you through the process and ensure your policy meets your needs.

Analecta Cyber is a Maryland-based cybersecurity firm providing cyber risk assessments for small and medium sized businesses. Analecta is a trusted partner to help companies achieve their cybersecurity objectives.
Analecta LLC Logo

Further Resources

No comments :

Post a Comment