What is Information Security Policy?

Compliance Knowledge Base | Information Security Training

Posted by: Lauren Hockley Published: Wed, 15 Aug 2018 Last Reviewed: Thu, 30 Jul 2020
What is Information Security Policy?

An information security policy is a set of rules dictated by an organisation to ensure all users follow good practices to keep information safe and reduce the risk of a data breach. Information security is based upon three main principles: confidentiality, availability and integrity, all which may be enforced through implementing strong information security policies. Not only do policies protect your organisation against legal, financial and reputational damage, but they also protect those who you hold data on. Learn more about information security.

How important is an information security policy?

Information security should not be viewed as a choice, but a legal requirement. Security breaches can result in data loss, inaccurate data production, confidentiality breaches, wasting resources and even putting individuals' rights and freedoms in jeopardy. Information security practices are governed by several legislations, including the Data Protection Act 2018 (which is the UK's implementation of the EU General Data Protection Regulation).

What should an information security policy cover?

Information security policies should encompass a wide range of data formats and locations:

How are different types of data classified?

Data can be classified into different sensitivity bands. The treatment of data and relevant policies surrounding its use are often determined by this band. A sensitivity classification system is displayed below.


  • Publicly available
  • Public contact details, service availability, some organisational decisions

Contextually sensitive:

  • Normally made available to the public
  • Draft forms of documents

Personal and confidential:

  • Regarding an identifiable, living person
  • Email, date of birth, address

Extremely sensitive:

  • Would have drastic consequences on organisations
  • Criminal offences and convictions or individuals if misused, including loss of life or failure to continue carrying out work

Access to extremely sensitive information can be further restricted through implementation of additional access restrictions e.g. passwords.

What is Information Security Policy?

How to implement an information security policy

Use role-based data access controls

Within most organisations, different users require and are authorised to access different types of information. A common strategy implemented to overcome this is to enforce role-based access controls, meaning all employees with the same responsibilities will receive the same access rights. Most security breaches occur due to human error, therefore restricting the amount of people who have unnecessary access to data reduces the opportunity for security incidents to occur.

Enforce strong passwords that are updated regularly

It's true that most data security breaches originate from external sources, however the biggest threat to your IT infrastructure is the employees who may unwittingly introduce the breach into your organisation in the first place. Amongst the top reasons for organisational data-breaches and losses are employees with weak passwords, those who click on unauthorised links/attachments or visit restricted sites, and computers/other devices being left unattended or lost. Whilst seemingly simple mistakes to make, neglecting to follow security best practices in these ways poses an enormous threat to business data that only ongoing learning and development can address.

Encrypt your data

Some organisations require that any information transferred outside of the organisation is encrypted. Encryption is where information is converted into a nonsense form through application of a key (an algorithm). A similar key is required to quickly reverse the encryption and display the original, meaningful information. Without access to the key, recipients are unable to access the data, therefore protecting it from falling into the wrong hands. Data stored on portable devices such as USBs should be encrypted as they can easily be misplaced or stolen. It is important for users to familiarise themselves with their organisation's encryption policy.

Secure physical access to your buildings

Policies should also cover the physical security of the building. Unauthorised personnel gaining access to the building could result in them seeing information they are not entitled to see. Simple measures like keeping windows and doors shut and locked whenever possible are essential. Two factor authentication policies minimise the risk of people gaining wrongful access to the building. This relies upon the user displaying two forms of identification when entering. Typically, this is something they know (like a door code) and something they have (like an ID card).

How to prevent hacking

Hackers are usually opportunists; they discover a weakness and they exploit it for the most convenient and profitable gain. Hackers may not even target individuals, but instead aim to send their malware to the greatest number of recipients in the hope that one person will take the bait. Therefore cyber criminals are constantly testing organisations' information security defences.

Why does this matter? Because misunderstanding hackers can cause us to underestimate their threat. If we imagine that hackers are a select breed of digital masters who plan brilliant attacks against enormous corporations, we imagine that we, as smaller and less significant targets, are safe from their attention. But if we are aware, more accurately, that hackers are anyone with the will to commit a crime and the ability to use a search engine, then we realise that the threats from hacking are broad and omni-present, and we must take every precaution to keep our data and systems safe, because we are, sadly, as much a target as the largest global corporations.

Ensuring that all staff are fully trained in cyber security alertness and best practices will go a long way towards protecting your business from a devastating attack. And because the threats from hackers and fraudsters are always changing, it's important that staff training is also regularly updated.

With time to detection being of the essence, the IT service desk can play an essential role in detecting any potential security threat early on.

Service desk staff are in an optimum position to identify strange patterns or trends within the company's IT system which could prove to be an early indication of an attack. If properly trained to spot these early warnings and escalate them to the right security experts, front-line employees can become a powerful first line of defence.

Information Security Training from DeltaNet

Do your employees know the basics when it comes to Cyber Security? eLearning solutions from DeltaNet International can help. We offer off-the-shelf cyber security awareness training covering topics such as Keeping Information Secure, Phishing Awareness, Protecting your Identity, and Preventing a Data Breach.

Contact our team to find out more about Cyber Security eLearning at DeltaNet.

Get in Touch

When you send us a message one of our friendly, knowledgeable eLearning experts will contact you as quickly as possible

* Required Field

Get in Touch

Get in Touch

+44 (0)1509 611 019

We'd love to talk to you about how we can help. Please leave your details below and a member of our team will get back to you.

* Required Field