What is Information Security Policy?

Information security policy is a set of rules outlining how data should be handled within an organisation. Promoting awareness and adherence protects your information. Policies span a wide range of topics, which you can find out more about here.

What is Information Security Policy?

Compliance Knowledge Base | Information Security Training

Posted by: Lauren Hockley Published: Wed, 15 Aug 2018 Last Reviewed: Wed, 15 Aug 2018
What is Information Security Policy?

An information security policy is a set of rules dictated by an organisation to ensure all users follow good practices to keep information safe and reduce the risk of a data breach. Information security is based upon three main principles: confidentiality, availability and integrity, all which may be enforced through implementing strong information security policies. Not only do policies protect your organisation against legal, financial and reputational damage, but they also protect those who you hold data on.

What Should Policies Cover?

Data can be found in a wide range of formats and locations. Policies should encompass the following data types:

Within most organisations, different users require and are authorised to access different types of information. A common strategy implemented to overcome this is to enforce role-based access controls, meaning all employees with the same responsibilities will receive the same access rights. Most security breaches occur due to human error, therefore restricting the amount of people who have unnecessary access to data reduces the opportunity for security incidents to occur.

Policies should also cover the physical security of the building. Unauthorised personnel gaining access to the building could result in them seeing information they are not entitled to see. Simple measures like keeping windows and doors shut and locked whenever possible are essential. Two factor authentication policies minimise the risk of people gaining wrongful access to the building. This relies upon the user displaying two forms of identification when entering. Typically, this is something they know (like a door code) and something they have (like an ID card).

Some organisations require that any information transferred outside of the organisation is encrypted. Encryption is where information is converted into a nonsense form through application of a key (an algorithm). A similar key is required to quickly reverse the encryption and display the original, meaningful information. Without access to the key, recipients are unable to access the data, therefore protecting it from falling into the wrong hands. Data stored on portable devices such as USBs should be encrypted as they can easily be misplaced or stolen. It is important for users to familiarise themselves with their organisation's encryption policy.

What is Information Security Policy?

Data Sensitivity Classification

Data can be classified into different sensitivity bands. The treatment of data and relevant policies surrounding its use are often determined by this band. A sensitivity classification system is displayed below. Access to extremely sensitive information can be further restricted through implementation of additional access restrictions e.g. passwords.

Data Type Meaning Example

Unrestricted Publicly available Public contact details, service availability, some organisational decisions

Contextually sensitive Normally made available to the public Draft forms of documents

Personal and confidential Regarding an identifiable, living person Email, date of birth, address

Extremely sensitive Would have drastic consequences on organisations Criminal offences and convictions or individuals if misused, including loss of life or failure to continue carrying out work

The Prevalence of Security Breaches

Cyber criminals are constantly testing organisation's information security defences. For example, an investigation into security breaches at UK universities found that cyber-attack rates have rocketed in recent years. Hackers have been trying to gain access to highly sensitive information such as medical records and confidential military files. There are speculations that this information is being sold to foreign powers, presenting a risk to public security. Sound university policy regarding cyber security is essential in safeguarding this important information.

The Importance of Information Security Policies

Clear and concise policies which are readily accessible help to ensure information security compliance. Information security practices are governed by several legislations, including the Data Protection Act 2018 (which is the UK's implementation of the EU General Data Protection Regulation). Therefore, information security should not be viewed as a choice, but a legal requirement. Security breaches can result in data loss, inaccurate data production, confidentiality breaches, wasting resources and even putting individuals' rights and freedoms in jeopardy.

Get in Touch

When you send us a message one of our friendly, knowledgeable eLearning experts will contact you as quickly as possible

* Required Field

Get in Touch

Get in Touch

+44 (0)1509 611 019

We'd love to talk to you about how we can help. Please leave your details below and a member of our team will get back to you.

* Required Field