As discussed in ITIL foundation certification training programs, an information security policy is part of the ITIL Security Framework. An information security policy describes how the security of the information and data will be ensured in a company. The top executive IT Management must support the information security policy. This is critical because if information security policy is not supported by the management and if there are leakages or if some employees are breaking the policy somehow, this will lead to the insecurity of the confidential data of the company. This document is an important document in the Information Security Management process which forms part of the ITIL Service Design Stage of the ITIL lifecycle. This is described in all good online ITIL trainings.
The information security policy should cover all aspects of security, be appropriate and meet the needs of the business as well. If a policy is not meeting the requirements of the business, it won’t make sense because the IT service provider fundamentally aims to provide services and processes for the use of the business. In this context, information security policy must be compliant with the business or customer requirements as well. The information security policy is a living document that evolves and changes as the business demands and the world of technology changes.
What does a good Information Security Policy look like?
The information security policy should include guidelines for:
- Use and misuse of IT assets: For instance, what will be the actions that will be followed if a USD storage device including confidential data of the finance department has been lost? Or what will be the steps of activities if laptop of a top executive has been stolen along with including top secret data of company? These should be included as guidelines in information security policy.
- Access control: How will the access of the users to the information be secured? For instance, a complex password could be required from a user. Or in the case of top confidential activities, an additional password with a key generator could be required. These are access control points that should be included in the information security policy. It is important to decide which documents need what level of access control as well as who will decide which employees are allowed to access certain documents. For example, can an employee with access to certain documentation provide access to another user, or does it have to be authorized by an executive or an IT manager? This must be specified in the information security policy.
- Password control: What will be the password change frequency? What will be the minimum and maximum numbers of characters for the password? Will it require complex characters or will digits will be sufficient? These should be documented in information security policy.
- Email & Internet Anti-virus: Most of the corporate companies provide an anti-virus for all computers in the company. And an internet policy is also installed in each computer in corporate companies. These protect the computers of the company from external attacks or hackers who are trying to steal the confidential data of the company. The information security policy must also include information regarding the company’s firewall and what types of information can enter and exit the internal network.
- Asset disposal: For instance, how will an outdated CD-ROM or DVD’s including data of the company be disposed of? Will it be burned or simply thrown to the bin? There are even special organizations who collect outdated storage devices or external disks of the companies and burn these in a safe area. How an asset will be disposed of must be documented in the information security policy as well.
- Information and document classification: There can be several types of data or information in a company. For instance, an active directory includes names, surnames, and contact information for each employee. Therefore, this information must be available for every employee in a company. On the other hand, salary or bonus information is confidential and only human resources personnel can access such data. These kinds of information and document classification must be done in the scope of information security policy.
- Remote access: Most of the companies provide remote access to the company network from external networks. These are provided by virtual private networks, key generators etc. Policies for remote access to company network are included in information security policy as well.
- Supplier Access to IT Services: An IT service provider can be acquiring external services from suppliers or partners in compliance with the supplier management process. In this case, how the supplier will access data of the company must be documented and planned in the scope of information security policy. The data of the company will be provided to an external organization and this has to be done in a secure way. The information security policy can specify whether cloud services can be used to share information with suppliers in an environment outside the company’s intranet, but the IT security manager needs to be sure that the documents shared with external suppliers are protected and remains the property of the company.
The importance of an Information Security Policy
A proper information security policy creates transparency regarding how secure information is stored in the company. It helps employees to understand how their information will be handled. Employees will feel secure if they know that sensitive information regarding their salaries is stored securely. Similarly, those employees who work with highly confidential information such as the development of new products or services will be aware of the measures that need to be taken to ensure that the company’s intelligence remains secure. Firm IT security is especially important in the Service Design stage of the ITIL service lifecycle as a lot of sensitive information regarding new services are developed during this stage.
With the help of ITIL foundation exam questions, you can assess your knowledge about information security policy framework and ensure that you are providing a good information security management for your organization.
Review by: Sally Franklin