While many businesses believe that they have adequate procedures in place to protect their own confidential information or that of their clients/customers, most do not. Rather, they merely have a section in their employee handbook on confidentiality, and maybe require their employees to sign confidentiality or non-disclosure agreements. Generally, such provisions are not sufficient to protect a company’s confidential and proprietary information, nor to effectively minimize the chances of a data breach. Indeed, even with such procedures in place, there is little contained in such documents which actually address how to preserve and protect such confidential information from inadvertent or malicious disclosure. Further, even if the business has some of these procedures in place, without a proper policy and training, compliance is less likely. This is where an Information Security (or “InfoSec”) Policy comes into play.
The purpose of this article is to outline some of the major issues which are addressed in an InfoSec Policy – most or all of which will help protect the company and its assets. Obviously, the actual practices and procedures of each business, together with applicable legal and contractual obligations of the business, will impact how each of these issues is addressed, as well as determine whether there are additional matters which must also be contained in the InfoSec Policy. This article is not legal advice and is not intended to issue any legal opinion, nor determine whether or not any specific business requires an InfoSec Policy. Rather, it is intended to start that discussion and explain the types of issues which can, and typically should, be addressed.
Purposes and Areas Addressed by an InfoSec Policy
The purpose of an InfoSec Policy is to outline the company’s position on corporate information security and establish general rules for its personnel to follow, which will ensure the confidentiality, integrity, and availability of information and protect the company’s own information technology assets from unauthorized access, use and/or modification and damage or destruction.
The InfoSec Policy generally applies to all personnel providing services for or on behalf of the company, whether full-time or part-time, contractors/sub-contractors, interns, or temporary personnel.
InfoSec Policies typically address computer systems, network operations, and company information, as well as the individuals who work with or have access to same. The concept is to create standard operating procedures to address information security requirements related to:
- General security controls.
- Computer acceptable use.
- Internet use.
- E-mail/instant messaging.
- Virus and other infection prevention.
- Communication devices.
- Remote network access.
- Wireless networking.
- Information protection.
- Physical access security.
- Addressing security incidents.
- Policy maintenance.
Implementation of an InfoSec Policy
An InfoSec Policy must be more than a resource for employees, contractors, etc., to access and review when they have questions. It must also be understood by the company and its workers so its policies can be implemented and followed on a daily basis. Therefore, once an InfoSec Policy is prepared and finalized, we typically provide an initial training session for company employees and all those to whom the Policy applies. Thereafter, training should be conducted at least once a year to assure the InfoSec Policy and all those who must comply are current, and that the information contained therein is understood and followed. The follow-up training can be conducted by us, or we can teach someone from the company to conduct the training, including providing any updated information or changes in policy/law. While the InfoSec Policy is a written document, it must also be a fluid document which is updated and adapted as new policies and procedures evolve.
The first step in the development of an InfoSec Policy is to determine what information a company has, what a company’s clients/customers/vendors expect of it with respect to information and security, what laws apply, and what policies and procedures the company currently has in place. After understanding and documenting this information, the information must all be assimilated into a draft – and ultimately a final – written InfoSec Policy. Thereafter, the InfoSec Policy must implemented, applied and updated as needed.
For more information or if you have any questions, please contact Michael J. Feldman, Esq., CIPP at or 908-964-2486.
 Certified Information Privacy Professional from the International Association of Privacy Professionals.