An information security policy is a set of rules dictated by an organisation to ensure all users follow good practices to keep information safe and reduce the risk of a data breach. Information security is based upon three main principles: confidentiality, availability and integrity, all which may be enforced through implementing strong information security policies. Not only do policies protect your organisation against legal, financial and reputational damage, but they also protect those who you hold data on.
What Should Policies Cover?
Data can be found in a wide range of formats and locations. Policies should encompass the following data types:
- Printers, fax machines and scanners
- Tablets and laptops
- USB sticks and other portable storage devices
- Public clouds
- Paper records
Within most organisations, different users require and are authorised to access different types of information. A common strategy implemented to overcome this is to enforce role-based access controls, meaning all employees with the same responsibilities will receive the same access rights. Most security breaches occur due to human error, therefore restricting the amount of people who have unnecessary access to data reduces the opportunity for security incidents to occur.
Policies should also cover the physical security of the building. Unauthorised personnel gaining access to the building could result in them seeing information they are not entitled to see. Simple measures like keeping windows and doors shut and locked whenever possible are essential. Two factor authentication policies minimise the risk of people gaining wrongful access to the building. This relies upon the user displaying two forms of identification when entering. Typically, this is something they know (like a door code) and something they have (like an ID card).
Some organisations require that any information transferred outside of the organisation is encrypted. Encryption is where information is converted into a nonsense form through application of a key (an algorithm). A similar key is required to quickly reverse the encryption and display the original, meaningful information. Without access to the key, recipients are unable to access the data, therefore protecting it from falling into the wrong hands. Data stored on portable devices such as USBs should be encrypted as they can easily be misplaced or stolen. It is important for users to familiarise themselves with their organisation's encryption policy.
Data Sensitivity Classification
Data can be classified into different sensitivity bands. The treatment of data and relevant policies surrounding its use are often determined by this band. A sensitivity classification system is displayed below. Access to extremely sensitive information can be further restricted through implementation of additional access restrictions e.g. passwords.
Data Type Meaning Example
Unrestricted Publicly available Public contact details, service availability, some organisational decisions
Contextually sensitive Normally made available to the public Draft forms of documents
Personal and confidential Regarding an identifiable, living person Email, date of birth, address
Extremely sensitive Would have drastic consequences on organisations Criminal offences and convictions or individuals if misused, including loss of life or failure to continue carrying out work
The Prevalence of Security Breaches
Cyber criminals are constantly testing organisation's information security defences. For example, an investigation into security breaches at UK universities found that cyber-attack rates have rocketed in recent years. Hackers have been trying to gain access to highly sensitive information such as medical records and confidential military files. There are speculations that this information is being sold to foreign powers, presenting a risk to public security. Sound university policy regarding cyber security is essential in safeguarding this important information.
The Importance of Information Security Policies
Clear and concise policies which are readily accessible help to ensure information security compliance. Information security practices are governed by several legislations, including the Data Protection Act 2018 (which is the UK's implementation of the EU General Data Protection Regulation). Therefore, information security should not be viewed as a choice, but a legal requirement. Security breaches can result in data loss, inaccurate data production, confidentiality breaches, wasting resources and even putting individuals' rights and freedoms in jeopardy.