An IT security policy is a strategy for how your company will implement Information Security principles and technologies. It is essentially a business plan that applies only to the Information Security aspects of a business.
A security policy is different from security procedures, in that a policy will provide both high level and specific guidelines on how your company is to protect its data, but will not specify exactly how that is to be accomplished. This provides leeway to choose which security devices and methods are best for your company and budget. A security policy is technology and vendor independent – its intent is to set policy only, which you can then implement in any manner that accomplishes the specified goals.
A security policy should cover all your company’s electronic systems and data. As a general rule, a security policy would not cover hard copies of company data but occasionally some overlap is inevitable. Where the security policy applies to hard copies of information, this must be specifically stated in the applicable policy.
A security policy must specifically accomplish three objectives:
1) It must allow for the confidentiality and privacy of your company’s information.
2) It must provide protection for the integrity of your company’s information.
3) It must provide for the availability of your company’s information.
This is commonly referred to as the “CIA Triad” of Confidentiality, Integrity, and Availability, an approach which is shared by all major security regulations and standards.
For more information visit www.InstantSecurityPolicy.com
