4 Keys to an Information Security Policy

View all blog posts under Articles | View all blog posts under Online Master of Science in Management Information Systems

Padlock on top of a laptop keyboard.

You have an open door policy as a business owner. Whether it’s with your employees that work for you or the customers that buy from you, the goal of your operation is transparency, where everyone feels welcome to share their ideas and thoughts, questions and concerns.

But when it comes to your information security, it’s for authorized users only. Like your workers and customers, information is an asset. But when data security is compromised — resulting in identity theft or stolen intellectual property — it can threaten the financial survival of your business, forcing you to close your doors for good.

A successful data security posture is multifaceted and upheld by a comprehensive information security policy. If you’re brand new to data security as a business owner, looking to strengthen your existing security standards or are interested in pursuing information systems as a career, this article will provide you with guidance that you can use in real world cybersecurity situations and scenarios.

What Is an Information Security Policy?

An information security policy is a compilation of procedures, rules, policies and processes that outline how data is used and stored. There are a wide variety of scenarios in which bad actors can obtain personal or business information, such as identity theft, cyberattacks or the mishandling of data by employees. An information security policy can specify what security procedures are in place to protect information assets, which situations count as acceptable use of data and what disaster recovery workflows are in place in the event of a security breach.

What Is the Central Purpose of an Information Security Policy?

The purpose of an information security policy isn’t one-dimensional but manifold, because it’s designed to address the needs and security concerns of the businesses’ customers and employees. Customers — whose data a business may have on file within security systems, such as payment, mailing addresses or contact information — want assurances that their data is stored securely and only provided to those who have the appropriate authorization. The security policy must reflect that. From the perspective of employees, the policy’s purpose is to describe how information is supposed to be used and for what reasons.

Finally, an information security policy can also identify what company information must be kept confidential for the preservation of intellectual property.

But there are many other reasons why businesses establish an information security policy. These include:

  • To protect the reputation of the organization.
  • To comply with legal and regulatory requirements established by oversight agencies.
  • To provide actionable steps that enable stakeholders to respond or identify common cyberattacks, such as phishing, malware, ransomware or denial of service attacks.
  • To document security measures and user access control policies.
  • To better coordinate and enforce a security program or disaster recovery response.
  • To execute security programs across an entire organization.
  • To facilitate data integrity.

Reputational damage can be a particularly harmful side-effect of a data breach. A report from the business insurance firm Hiscox shows that in 2022, more than 27% of organizations who experienced a cyberattack suffered reputational or brand damage in the aftermath, up from 23% in 2021.

A well-crafted information security policy can address what steps a business ought to take to accept responsibility and re-establish trust.

How Common Are Data-Related Security Incidents?

Data security is an industry unto itself. Because data has proliferated — as have the ways to communicate that data — there are a variety of situations in which sensitive information can wind up in the wrong hands. According to the Identity Theft Resource Center, there were at least 1,862 instances in 2021 in which data was compromised, affecting over 295 million people in the U.S. alone. Through the first quarter of 2022, there have been approximately 400 reported data breaches.

Eva Velasquez, president and chief executive officer of the ITRC, noted that most of these incidents stem from cyberattacks.

“As we mentioned in our 2021 Annual Data Breach Report, we saw an alarming number of data breaches last year due to highly complex and sophisticated cyberattacks that are fueling the dramatic rise in identity fraud,” Velasquez explained.

As the report illustrated, the nature of these cyberattacks were overwhelmingly carried out via two specific identity fraud attempts: phishing and ransomware. Phishing is designed to coax a person or business into voluntarily submitting anything of value — like credit card information, sign-in details or a savings account number — to a supposedly legitimate source. This may be done by email or by creating a website that looks identical to a trustworthy institution or organization.

Ransomware, which is often deployed via phishing, is a form of technological hijacking, in which a cyberattacker uses malware to corrupt or lock down the computer system of an everyday individual, business owner, enterprise or government entity. The only way for the authorized user to reclaim their computer systems is by paying the ransom, a sum that can often be substantial. While security experts are at odds over whether victims of this attack should give in to perpetrators’ monetary demands, some businesses determine that paying the ransom is the best move for them, given the nature of the data that is stolen and what the costs would be from downtime or negative publicity. The aforementioned Hiscox report shows that the largest ransom that was paid worldwide in 2021 was $100,000, up from $95,000 in 2020. Of the firms affected by ransomware, two-thirds decided to pay the ransom.

A comprehensive information security policy may address the stance a business takes on security incidents — in terms of how to address them and who to report them to should they occur.

Just as certain types of cyberattacks are more prevalent than others — 92% of data breaches derived from phishing and ransomware, according to the ITRC — certain industries are more susceptible to data breaches. This is largely due to the nature of their business and what information passes back and forth between customers and business entities For example, through the first three months of 2022, financial services, manufacturing and utilities, health care and professional services experienced the most security incidents, per the ITRC’s most recent quarterly report.

While all business entities are urged to establish an information security policy — replete with built-in security procedures and best-practice security standards — these specific sectors may need to craft a more thorough policy than those that are less vulnerable for better incident response.

What Are the Key Elements of an Information Security Policy?

Now that you know the driving purposes of an information security policy, they need to be put together with several considerations in mind. Here are four keys for an information security policy to be successful:

1. Define the Objective

An information security policy can be as general or as comprehensive as a business owner desires it to be. Because virtually every industry has been affected by a breach or an attempt, it’s important for policies to be substantive. At the very least, they need a defined objective or goal. Many organizations use the CIA triad as a template for molding the purpose of their policy. The CIA triad is made up of three pillars and stands for the following:

  • Confidentiality
  • Integrity
  • Availability

Confidentiality: The confidentiality pillar refers to the people within an organization who have authorization to use customer’s personal information or sensitive data that is proprietary to a business. It also refers to what steps or solutions are in place to ensure that eyes-only, top-secret information remains protected from disclosure. This may involve passwords, access control measures (e.g. authentication authorization) or data encryption.

Integrity: The integrity pillar is primarily concerned with maintaining the authenticity, veracity and consistency of the data that’s in question. If there are no methodologies in place to promote data integrity, information can be manipulated. This is frequently done maliciously but it can also be carried out unintentionally, such as through typographical errors, an overlooked attack vector, or failing to install security updates or patches when they’re released.

Many of the strategies used to support confidentiality also apply to data integrity, such as data encryption, digital signatures and data backup.

Availability: Information is for communicative and productive purposes. It does little good if it’s inaccessible or difficult for authorized users to obtain. Thus, the availability pillar of the CIA triad balances security with accessibility.

There are a variety of scenarios that can prevent data from being accessed quickly. Power outages can knock computer systems offline, often for hours (if not days) at a time. A distributed denial of service attack can disrupt or cripple an internet network. A natural disaster — such as a hurricane, flood or tornado — can destroy on-premises infrastructure or systems hardware. The worst-case scenario possibilities are all but endless.

An information security policy must address the security standards and incident response measures that can bring systems back online when the unexpected occurs. Disaster recovery, data backup and surge protectors are a few strategies that help to maintain or re-establish availability.

2. Establish Accountability and Understanding

While a certain team or professional, like an information system and network administrator or the IT department, may be charged with putting an information security policy together, it’s important for the policy to include the entirety of your business. This means that whichever sections of the company have any interaction with data, they need to be accounted for in the information security policy and have an understanding of their role in its promotion. This includes legal, human resources, technical, front desk, accounting, sales and any other information-intensive business unit.

Making sure that all the departments are represented in an information security policy also guards against scenarios in which employees can claim ignorance as to how to respond to a security incident or who to go to if the breach started in their section.

3. Classify Data In Order of Sensitivity

While all information is valuable, some types of data may be more prioritized or high-value than others, thus requiring an extra level of protection or response in the event of a breach. That’s why many information security policies classify data. The higher the level, the more sensitive the data is and the more severe the ramification may be should the information be exposed. For example “Level 1” information may be data that is publicly available and thus not quite as in need of advanced security measures. “Level 5” information, on the other hand, has the potential to cause irreparable damage if it’s stolen or disclosed.

Data classification helps to prioritize information assets so the appropriate resources are put to work to neutralize an incident and heighten security awareness.

4. Cover All of Your Bases

Information comes in many different forms and so do the scenarios in which data can be exploited, stolen, damaged, misappropriated or tampered with, whether by internal or external actors. An information security policy should be mindful of all the situations that can lead to data loss as well as the potential attack vectors. As the Hiscox report showed, cloud servers are the leading access point for cyberattacks, followed by business email, corporate servers and remote access servers.

But there are many other ways in which data can be compromised. Internal threats come from company employees. While these incidents may be malicious, information may be exposed unwittingly due to human error or failing to follow certain security protocols. Severe weather or natural disasters such as wildfire or earthquakes, can also make information vulnerable to damage without the proper backup measures in place.

Whatever circumstance can lead to information loss should be paired with an appropriate incident response.

In keeping with covering your bases, is educating and communicating a security policy to the relevant parties. This isn’t just from a representation standpoint, as referenced earlier. This also means ongoing education. Policies within an organization can change, as can the information that is obtained and how it’s utilized. That’s why training may be needed to communicate what changes in policy are underway that are relevant to information and buttressing the security posture of the company. Education also gives workers an opportunity to ask questions or to clarify where there may be areas of confusion or inconsistency.

Additionally, ongoing training helps with risk tolerance. As the National Institute of Standards and Technology points out, societal factors and perception of risk influence the manner in which information is handled and disseminated. Providing regularly scheduled security awareness training helps to mitigate differences of risk perception from one individual to the next. Describing various scenarios that can increase the chances of data being mistakenly divulged can provide a generalized understanding of what behaviors must be avoided.

While an information security policy can mitigate the effects of a data breach or security incident, the financial fallout can be substantial. That’s why it’s important to have some kind of business insurance to guard against losses. As Hiscox found in its report, nearly two-thirds of business owners globally have a standalone cyber insurance coverage or something similar to it. That’s up from 58% in 2020.

Get Your Degree at UAB

Whether you own a business now, are newly out of college or intend to launch your own company and want a better grasp of data management, an online Master of Science in Information Systems degree is a credential that can help you achieve your goals and become a better steward of information assets. The University of Alabama at Birmingham Collat School of Business is the academic program that’s designed with your busy schedule in mind. Contact us today to learn more.


Recommended Reading:

What Is Information Systems?

What Is Business Analytics?



Q1 2022 Data Breach Analysis by Identity Theft Resource Center

Cyber Readiness Report 2022 by HISCOX

An Introduction to Information Security by National Institute of Standards and Technology