The role of policy is to codify guiding principles, shape behavior, provide guidance for decision makers, and serve as an implementation roadmap. An information security policy defines how an organization will protect its information assets, ensure compliance with legal and regulatory requirements, and maintain an environment that supports those principles.
Successful information security policies establish what must be done and why — but not how. Good policy has seven essential characteristics.
Endorsed
Leadership must not only believe in the policy — they must act accordingly. Visible participation, ongoing communication, and consistent prioritization are all required. Nothing will doom a policy quicker than having management ignore or circumvent it.
Relevant
The policy must support the guiding principles and goals of the organization and be relevant to those who must comply. A policy that employees can't recognize in relation to their everyday experience will not be followed.
Realistic
Policies will be rejected if they don't reflect the reality of the environment in which they'll be implemented. Engaging constituents in policy development, providing appropriate training, and consistently enforcing policies leads to better adoption.
Attainable
Information security policies should only require what is possible. A policy should never set up constituents for failure — it should provide a clear path for success.
Adaptable
An adaptable information security policy recognizes that security is not a static, point-in-time endeavor, but an ongoing process. Organizations committed to strong security programs treat policy as a living document.
Enforceable
Enforceable means that controls can be put in place to support the policy, compliance can be measured, and appropriate sanctions can be applied. A rule with no consequence is effectively meaningless.
Inclusive
Data and the systems that store, transmit, and process it are now widely distributed. Policies must consider vendor and third-party relationships, outsourced functions, and the full range of external threats — not just what happens inside the organization's walls.
The hallmark of a great information security policy is that it positively affects the organization, its employees, customers, and the broader operating environment it touches.
