The following article contains guidance explaining portions of the Information Security Policy that we frequently see questions around, explaining what the sections mean.
Guidance statements will appear in bold and enclosed in brackets “[]” below the statements of the policy.
Information Security Policy
[COMPANY NAME]
______________________________________________________________________
Purpose
[COMPANY NAME]’s Information Security Policy has been developed to: establish a general approach to information security and the minimization of information misuse, compromise or loss; document security processes and measures; uphold ethical standards and meet the company’s regulatory, legal, contractual, and other obligations; control business risk; and ensure that the appropriate company image and reputation is presented.
Scope
This policy applies to:
Information in any form, regardless of the media on which it is stored, as well as, any facility, system, or network used to store, process, and/or transfer information.
All [COMPANY NAME] employees, temporary staff, partners, contractors, vendors, suppliers, and any other person (collectively also referred to as “Staff” or “Personnel”) or entity that accesses the company’s networks or any other public or private network through company’s networks or systems.
All activity while using or accessing the company’s information or information processing, storage, or transmission equipment, while on the company premises (owned, rented, leased, or borrowed) or remotely.
[If your organization is entirely remote, you can remove references to the company premises.]
Information resources that have been entrusted to the company by any entity external to the company (i.e. Customers, Staff, and others).
Documents, messages, and other communications created on or communicated via the company systems are considered the company’s business records and, as such, are subject to review by third parties in relation to audits, litigation, process improvement, and compliance.
Background
This policy is the overarching policy over the rest of the security policies, which make up the company’s information security program (ISP). The series of security policies includes:
Acceptable Use Policy
Asset Management Policy
Backup Policy
Business Continuity/Disaster Recovery Plans
Code of Conduct
Data Classification, Retention, and Protection Policies
Encryption and Password Policies
Incident Response Plan
Physical Security Policy
Responsible Disclosure Policy
Risk Assessment Policy
Software Development Life Cycle Policy
System Access Control Policy
Vendor Management Policy
Vulnerability Management Policy
[If you have added custom policies, or replaced any of these policies within Drata, you may update this list as appropriate.]
Information Security Objectives
It is the policy of [COMPANY NAME] that information, as defined hereinafter, in all its forms--written, spoken, recorded electronically or printed--will be protected from accidental or intentional unauthorized modification, destruction or disclosure throughout its life-cycle. This protection includes an appropriate level of security over the equipment and software used to process, store, and transmit that information. Ultimately, the information security goal of [COMPANY NAME] is to maintain:
Confidentiality: data and information are protected from unauthorized access
Integrity: Data is intact, complete and accurate
Availability: IT systems are available when needed
[COMPANY NAME]’s information security objectives, consistent with the company’s information security program are:
To protect information from all internal, external, deliberate, or accidental threats;
To enable secure information sharing;
To encourage consistent and professional use of information;
To ensure clarity about roles and responsibilities associated with protecting information;
To ensure business continuity and minimize business damage; and,
To protect the company from legal liability and the inappropriate use of information.
[These objectives are just the goals of your information security program. You may update these with additional goals or change these objectives. If you are working towards ISO 27001, you may also choose to remove these items and refer to the Information Security Objectives within your ISMS Plan. If you are working on ISO 27001 and choose to keep these objectives here, these should match the information security objectives stated in your ISMS Plan.]
Roles and Responsibilities
The [SECURITY OFFICER/ CISO] is responsible for:
[This can be changed to any relevant role, it is not limited to just a Security Officer or CISO. But it should be someone who has been assigned the responsibilities below.]
The design, development, maintenance, dissemination, and enforcement of the items contained in this policy and other ISP policies.
[For ISO 27001] Ensuring that the information security management system conforms to the requirements of ISO/IEC 27001:2013.
[If you are not working on ISO 27001, this can be removed. If you are working on ISO 27001:2022, this should be updated to state ISO/IEC 27001:2022.]
Reporting on the performance of the information security program to top management.
The objectives and measures outlined by the ISP policies shall be maintained and enforced by the roles and responsibilities specified in each policy and related company documents (e.g., Skills Matrix).
[A Skills Matrix will be required for ISO 27001 and HIPAA, but is optional for other frameworks. We do recommend maintaining some type of documentation that captures who is responsible for information security, but this can take many forms such as a Skills Matrix, Internal Wiki, Roles and Responsibilities within policies, documented Job Descriptions, etc.]
Policy Review
At minimum on an annual basis, a security and/or compliance committee composed of senior management and key personnel must discuss, evaluate and document the company’s ISP, ensuring strategic goals and objectives are continually being developed.
At a minimum on an annual basis, all ISP policies must be reviewed, modified and/or edited to meet necessary security standards. All policies must be signed and approved by authorized personnel.
Accessibility
Policies and/or procedures must be accessible to employees for review at all times via the compliance automation SaaS, Drata. Policies pertaining to positions must be reviewed and signed upon hire and on an annual basis by all employees.
Exceptions
Requests for any exceptions to any policies included within the ISP must be approved by [COMPANY NAME]’s Executive Management after proper review. Any approved exceptions will be reviewed annually.
[A common method of documenting these exceptions is to track them within a ticketing system.]
Policy
Training
Management shall ensure that employees, contractors and third party users:
Are properly briefed on their information security roles and responsibilities prior to being granted access to covered information or information systems;
Are provided with guidelines which state security expectations of their role within the organization;
Are regularly notified of security changes and updates, as well as reminded of security responsibilities to be undertaken, via annual security awareness training and annual policy acknowledgements;
Are motivated and comply with the security policies of the organization;
Achieve a level of awareness on security relevant to their roles and responsibilities within the organization;
Conform to the terms and conditions of employment, which includes the organization’s information security policy and appropriate methods of working.
All new hires are required to complete information security awareness training as part of their new employee onboarding process and annually thereafter. New hire onboarding will be completed within <X DAYS> after the date the employee or contractor is hired. Ongoing training will include security and privacy requirements as well as training in the correct use of information assets and facilities.
In addition, consistent with assigned roles and responsibilities, incident response and contingency training to personnel will be done:
within 90 days of assuming an incident response role or responsibility;
as required by information system or policy changes; and
annually.
[This additional training is only required for NIST 800-53. We recommend this training, but it may take many forms. For example, any employee with an incident response or contingency role may be required to acknowledge the associated policies and participate in the annual testing of these plans.]
The organization will properly document that the training has been provided to all employees. All employees are required to acknowledge in writing their understanding of the Information Security Program which includes a Code of Conduct upon hire and annually thereafter.
The organization will properly communicate to its workforce and, if appropriate, contractors:
Security updates, changes, and incidents, as needed, via email or appropriate Slack channels.
Reminders for security responsibilities as part of the annual security awareness training.
Clean Desk/Work Area
Authorized users will ensure that all sensitive/confidential materials, hardcopy or electronic, are removed from their workspace and locked away when the items are not in use or an employee leaves his/her workstation. This will also increase awareness about protecting sensitive information. As such:
Employees are required to ensure that all sensitive/confidential information, hardcopy or electronic, is secure in their work area at the end of the day and when they are expected to be gone for an extended period.
Computer workstations must be locked when the workspace is not in use, and must be shut down completely at the end of the day.
Sensitive information must be removed from the desk and securely stored when the desk is unattended, and at the end of the day.
Laptops and other portable computing devices must be properly stored/secured.
File cabinets containing Restricted or Sensitive information must be kept closed and locked when not in use or when not attended.
Keys used for access to Restricted or Sensitive information must not be left at an unattended desk.
Passwords may not be left on sticky notes posted on or under a computer, nor may they be left written down in an accessible location.
Printouts containing Restricted or Sensitive information should be immediately removed from the printer.
Upon disposal Restricted and/or Sensitive documents should be shredded in the official shredder bins or placed in the lock confidential disposal bins.
Whiteboards containing Restricted and/or Sensitive information should be erased.
Treat mass storage devices such as external hard drives or USB drives as sensitive and always secure and encrypt them.
All printers and fax machines should be cleared of papers as soon as they are printed; this helps ensure that sensitive documents are not left in printer trays for the wrong person to pick up.
[This section may be edited as appropriate to remove irrelevant items such as the points related to file cabinets or printers, but this section should apply to both in-person and remote employees, who should secure information in their work area when they are not present.]
Internet/Intranet Access and Use
Use of [COMPANY NAME] computers, networks, and Internet access is a privilege granted by management and may be revoked at any time for inappropriate conduct carried out on such systems, including, but not limited to:
Sending chain letters or participating in any way in the creation or transmission of unsolicited "spam" that is unrelated to legitimate Company purposes;
Engaging in private or personal business activities, including excessive use of instant messaging and chat rooms;
Accessing networks, servers, drives, folders, or files to which the employee has not been granted access or authorization from someone with the right to make such a grant;
Making unauthorized copies of Company files or other Company data;
Destroying, deleting, erasing, or concealing Company files or other Company data, or otherwise making such files or data unavailable or inaccessible to the Company or to other authorized users of Company systems;
Misrepresenting oneself or the Company;
Violating the laws and regulations of federal, state, city, province, or local jurisdictions in any way;
Engaging in unlawful or malicious activities;
Deliberately propagating any virus, worm, Trojan horse, trap-door program code, or other code or file designed to disrupt, disable, impair, or otherwise harm either the Company's networks or systems or those of any other individual or entity;
Using abusive, profane, threatening, racist, sexist, or otherwise objectionable language in either public or private messages;
Sending, receiving, or accessing pornographic materials;
Causing congestion, disruption, disablement, alteration, or impairment of Company networks or systems;
Using recreational games; and/or
[If you authorize this, this item may be removed.]
Defeating or attempting to defeat security restrictions on company systems and applications.
[Items may be added or removed from this list as appropriate.]
Such access will be discontinued upon termination of employment, completion of contract, end of service of non-employee, or disciplinary action arising from violation of this policy. In the case of a change in job function and/or transfer, the original access code will be discontinued, and only reissued if necessary and a new request for access is approved.
All user IDs that have been inactive for thirty (30) days will be revoked. The privileges granted to users must be reevaluated by management annually. In response to feedback from management, systems administrators must promptly revoke all privileges no longer needed by users.
[The period listed above for inactive accounts may be adjusted, however, we do not recommend exceeding 90 days.]
Teleworking
Requirements
Secure remote access must be strictly controlled with encryption (i.e., Virtual Private Networks (VPNs)) and strong pass-phrases. Refer to the Encryption Policy and the Password Policy for further information.
[A VPN is not required, but an encrypted connection is required. This may be through a VPN, or it may be through only utilizing secure web connections with TLS, direct infrastructure connections through SSH, etc.]
Authorized Users must protect their login and password, without exception.
While using a [COMPANY NAME]-owned computer to remotely connect to the company’'s network, authorized users must ensure the remote host is not connected to any other network at the same time, with the exception of personal networks that are under their complete control or under the complete control of an authorized user or third party.
The most up-to-date antivirus software must be used on all computers. Third party connections must comply with requirements as stated in the Vendor Management Agreement.
Equipment used to connect to [COMPANY NAME]'s networks must meet the requirements for remote access and device use as stated in the Acceptable Use Policy, Asset Management Policy, and System Access Control Policy.
Remote Access Tools
All remote access tools used to communicate between [COMPANY NAME] assets and other systems must comply with the following policy requirements:
Multi-factor authentication (such as authentication tokens and smart cards that require an additional PIN or password) is required for all remote access tools
The authentication database source must be Active Directory or LDAP, and the authentication protocol must involve a challenge-response protocol that is not susceptible to replay attacks. The remote access tool must mutually authenticate both ends of the session.
[Active Directory or LDAP is not required. This bullet point is suggesting that remote access tools should utilize a centralized identity provider, for example using SSO with your identity provider (such as Google Workspace).]
Remote access tools must support the [COMPANY NAME] application layer proxy rather than direct connections through the perimeter firewall(s).
[This bullet may be removed if it is not relevant to your organization.]
Remote access tools must support strong, end-to-end encryption of the remote access communication channels as specified in the Encryption Policy.
All antivirus, data loss prevention, and other security systems must not be disabled, interfered with, or circumvented in any way.
Mobile Endpoint and Storage Devices
Protecting endpoint devices issued by [COMPANY NAME] or storing company data is the responsibility of every employee. This pertains to all devices that connect to the company network, regardless of ownership. Mobile endpoint and storage devices are defined to include: desktop systems (in telework environment), laptops, PDAs, mobile phones, plug-ins, Universal Serial Bus (USB) port devices, Compact Discs (CDs), Digital Versatile Discs (DVDs), flash drives, modems, handheld wireless devices, wireless networking cards, and any other existing or future mobile computing or storage device, either personally owned or [COMPANY NAME] owned. An inventory of company-owned assets will be properly maintained.
For endpoint devices,
Company-issued mobile devices will have antivirus and endpoint security pre-installed.
Users must run an online malware scanner at least once a month.
[Depending on the antivirus software you deploy, this bullet may not be possible. Using the built-in protection with MacOS would not allow this bullet point. Similarly, newer antivirus solutions may not support a traditional scan.]
If browser add-ons are approved and installed, a browser testing tool shall be ran to ensure the security of the add-on.
[This is a security best practice, but not strictly required. If you do choose to implement this requirement, a tool such as https://browsercheck.qualys.com/ would be required.]
Mobile endpoint devices must further meet the requirements for use as stated in the Acceptable Use Policy and Asset Management Policy.
For storage devices,
A risk analysis will be conducted prior to the use or connection to the company network, unless previously approved.
Detection of incidents must immediately be reported to the [RESPONSIBLE PARTY, e.g., information security team].
Stolen mobile devices must immediately be reported to the [RESPONSIBLE PARTY, e.g., information security team].
Intellectual Property Rights
[COMPANY NAME] takes handling and safeguarding of intellectual property very seriously. Intellectual property rights include software or document copyright, design rights, trademarks, patents and source code licenses.
To ensure this the following procedures will be maintained:
Software will only be acquired through known and reputable sources, to ensure that copyright is not violated.
An asset inventory will identify all assets with requirements to protect intellectual property rights.
[In some instances, licenses may restrict what can be done with software. For example, some software licenses may forbid copies of that software from being produced. If you had a server running software with a license which restricted that, you may have to evaluate whether you can perform a full backup of the server. In the event that licensing prevents that, that consideration should be documented somewhere, such as in your asset inventory.]
Proof and evidence of ownership of licenses, master disks, manuals, etc. will be maintained.
Review of the asset inventory will also make sure that only software and licensed products are installed.
Will ensure compliance with terms and conditions for software and information obtained from public networks
Information Security Requirements Analysis & Specifications
[COMPANY NAME] will identify its information security requirements through utilizing different methods, ensure the results of the identification are documented and reviewed by all stakeholders, and will integrate the requirements and associated processes in early stages of projects.
Methods
Policies and regulations
Threat modeling
Incident reviews
Use of vulnerability thresholds
Factors
Level of confidence required towards the claimed identity of users, in order to derive user authentication requirements.
Access provisioning and authorization processes, for business and privileged or technical users.
Informing users and operators of their duties and responsibilities.
Protection needs of assets, especially in terms of availability, confidentiality, integrity.
Business processes (e.g., transaction logging and monitoring, non-repudiation requirements).
Other security controls (e.g. interfaces to logging and monitoring or data leakage detection systems).
Employment Terms and Conditions
The following terms and conditions of employment at [COMPANY NAME] are the contractual obligations for employees or contractors for the safeguarding of information. They include, but are not limited to:
Signing a confidentiality or non-disclosure agreement (NDA) prior to access to confidential information and processing facilities.
Legal responsibilities and rights, particularly concerning intellectual property.
Responsibilities for the classification of information and management of organizational assets associated with information, information processing facilities and information services handled by an employee or contractor.
Responsibilities for handling of information received from third parties.
Reviewing and agreeing with the security policies of the company.
Duration of responsibilities beyond end of employment.
[Responsibilities beyond the end of employment may be items such as NDAs which extend for a period of time after employment has ended.]
Actions to be taken for non-compliance with the terms and conditions, and the company’s security policies.
Disciplinary Process
[This section can be edited as appropriate. Compliance frameworks do not usually specify what a disciplinary process should entail, but may require that you have one. This section can be replaced with what your current disciplinary process is, if one currently exists.]
[COMPANY NAME]’s discipline policy and procedures are designed to provide a structured corrective action process to improve and prevent a recurrence of undesirable employee behavior and performance issues. It has been designed to be consistent with [COMPANY NAME] cultural values, Human Resources (HR) best practices, and employment laws.
[COMPANY NAME] reserves the right to combine or skip steps depending on the facts of each situation and the nature of the offense. The level of disciplinary intervention may also vary. Some of the factors that will be considered are whether the offense is repeated despite coaching, counseling, or training, the employee’s work record, and the impact the conduct and performance issues have on the organization.
Step 1: Verbal Warning and Counseling
This initial step creates an opportunity for the immediate supervisor to schedule a meeting with an employee to bring attention to an existing performance, conduct or attendance issue. The supervisor should discuss with the employee the nature of the problem or the violation of company policies and procedures. The supervisor is expected to clearly describe expectations and the steps the employee must take to improve performance or resolve the problem.
Step 2: Formal Written Warning
If the employee does not promptly correct any performance, conduct or attendance issues that were identified in Step 1, a written warning will become formal documentation of the performance, conduct, or attendance issues and consequences. The employee will sign a copy of the document to acknowledge receipt and understanding of the formal warning. During Step 2, the immediate supervisor and HR representative will meet with the employee to review any additional incidents or information about the performance, conduct or attendance issues as well as any prior relevant corrective action plans. Management will outline the consequences for the employee of his or her continued failure to meet performance or conduct expectations.
A formal performance improvement plan (PIP) requiring the employee’s immediate and sustained corrective action will be issued after a Step 2 meeting. A warning outlining that the employee may be subject to additional discipline up to and including termination if immediate and sustained corrective action is not taken may also be included in the written warning.
Step 3: Suspension and Final Written Warning
There may be performance, conduct, or safety incidents so problematic and harmful that the most effective action may be the temporary removal of the employee from the workplace. When immediate action is necessary to ensure the safety of the employee or others, the immediate supervisor may suspend the employee pending the results of an investigation. Suspensions that are recommended as part of the normal progression of this progressive discipline policy and procedure are subject to approval from a next-level manager and HR.
Step 4: Recommendation for Termination of Employment
The last step in the progressive discipline procedure is a recommendation to terminate employment. Generally, [COMPANY NAME] will try to exercise the progressive nature of this policy by first providing warnings, a final written warning or suspension from the workplace before proceeding to a recommendation to terminate employment. However, [COMPANY NAME] reserves the right to combine and skip steps depending on the circumstances of each situation and the nature of the offense. Furthermore, employees may be terminated without prior notice or disciplinary action.
Management’s recommendation to terminate employment must be approved by HR and the supervisor’s immediate manager. Final approval may be required from the CEO.
Performance and Conduct Issues Not Subject to Progressive Discipline
Behavior that is illegal is not subject to progressive discipline, and such behavior may be reported to local law enforcement authorities. Theft, substance abuse, intoxication, fighting and other acts of violence at work are grounds for immediate termination.
Enforcement
[COMPANY NAME] Management, under the explicit authority granted by the company CEO, retains the authority and responsibility to monitor and enforce compliance with this Policy and other policies, standards, procedures, and guidelines. Monitoring activities may be conducted on an on-going basis or on a random basis whenever deemed necessary by Management and may require investigating the use of the Company’s information resources. The company reserves the right to review any and all communications and activities without notice.
[COMPANY NAME] will take appropriate precautions to ensure that monitoring activities are limited to the extent necessary to determine whether the communications or activities are in violation of Company policies, standards, procedures, and guidelines or in accordance with normal business processing performance or quality activities.
Violation of the controls established in this Policy is prohibited and will be appropriately addressed. Disciplinary actions for violations may include verbal and/or written warnings, suspension, termination, and/or other legal remedies and will be consistent with our published HR standards and practices.