How to create an enterprise information security policy – and make it stick: the 2022 guide

Due to the coronavirus pandemic, remote work has become just ‘work’ for 31% of the global workforce. They don’t seem to mind, with 91% preferring working from home because they can create a better work-life balance, and 79% thanks to a boost in productivity, Forbes reports. But while employees are more focused and less stressed at home, are they just as safe as in the office?

Looking at the latest cybersecurity statistics, the answer is a resounding “no.” In Switzerland, for example, the National Cyber Security Center saw 350 cyberattacks within a single month during the pandemic, a far cry from the ‘norm’ of 100-150. The City of London Police reported that between January and June 2020, more than £11 million had been lost due to COVID-19 scams.

No wonder: research shows that a whopping 47% of people fall for a phishing message while working from home.

“Traditional information security programs at well-established organizations had a tough time keeping up with the rate and volume of changes that resulted from the COVID-19 pandemic,” explains Timothy Kropp, global chief information security officer at SS&C Technologies. “The days of the four-walled security operations centers, locked doors, with staff members comfortably inside, went away.”

This means that having a well-thought-out enterprise information security policy (ISP) in place, which is easy to understand and follow, is more important than ever. In this guide, we’ll walk you through the what, why and how of creating data security policies that work for organizations and users alike.

First things first: what’s an ISP and why do you need one?

An enterprise information security policy is a set of rules that people with access to the organization’s data, assets, networks, and other IT resources must follow to minimize cyber risk exposure. The cornerstone of cybersecurity resilience, ISPs ideally cover all elements of an enterprise IT ecosystem, from hardware and software to employees and the company’s extended vendor network.

In other words, an ISP is your first line of defense against the damage, loss, or misuse of your organization’s data assets. The purpose of the information security policy is to define your overall approach to cybersecurity, offer users clear and relevant guidance on security and incident dos and don’ts, and break down the roles and responsibilities for effective and secure information governance.

The CIA triad, aka the three main principles of information security

Albeit fitting, the term ‘CIA triad’ has nothing to do with the well-known US government agency but everything to do with the three pillars of a robust corporate information security model; that is, confidentiality, integrity, and availability.

Confidentiality refers to an organization’s ability to protect information against disclosure attacks, such as network reconnaissance or electronic eavesdropping. Confidentiality measures, e.g., encryption, are put in place to ensure that authorized users have the necessary privileges to access specific assets while unauthorized users are actively prevented from accessing them.

Integrity is about ensuring that information is not tampered with during or after submission. Data integrity can be compromised by accident, through human error, faulty data transfer, or device failure, and on purpose, by evading intrusion detection or changing file configurations to allow unwanted access. Techniques to preserve data integrity include encryption, hashing as well as digital certificates and signatures.

Availability requires organizations to have up-and-running systems, networks, and applications to guarantee authorized users access to information without any interruption or waiting. It means resilience against all kinds of disruption in data availability, including cyber threats, human error, hardware and software failures, natural disasters, and power outages. Countermeasures range from regular system upgrades and backups to denial-of-service protection solutions.

Acceptable use, backup, clean desk: essential information security policy examples

Truth be told, writing an enterprise information security policy can become overwhelming really fast. First, think about the types of technologies deployed within your organization and the security risks they pose for your business. The list of information security policy examples below is nowhere near complete. Still, it will give you an idea of what policies you might need

• Acceptable Use Policy: lays out the dos and don’ts of using IT equipment, facilities, and resources, including the consequences of non-compliance.
• Clean Desk Policy: prescribes removing sensitive business information from workstations at the end of each workday, from meeting notes to USB sticks.
• Change Management Policy: includes the processes required to make changes to the enterprise IT ecosystem without disrupting business continuity.
• Data Backup Policy: outlines the ground rules for planning, executing, and validating backups to ensure that critical data is securely and routinely backed up.
• Data Breach Response Policy: contains tools and protocols for recognizing and handling data breach incidents in a timely, coordinated, and efficient manner.
• Disaster Recovery Plan Policy: defines the concrete steps an organization must take in the event of a disaster, natural or man-made, to recover critical data and functions.
• End-User Encryption Key Protection Policy: describes the rules of protecting encryption keys that are under the control of end-users to prevent fraudulent use.
• Monitoring and Logging Policy: sets forth what events and activities should be logged and how logs should be transmitted, rotated, retained, and stored.
• Password Creation and Management Policy: covers how to create, change, and protect user passwords, including complexity and length requirements.
• Remote Access Policy: provides guidance on how to connect to a company’s internal network from unsecured locations such as public spaces or home networks.
• User Identification, Authentication, and Authorization Policy: defines the process of verifying the identity of users attempting to access enterprise resources or applications.

What should be in an information security policy? Tips on structure and scope

When it comes to information security, no two businesses have the same needs and challenges. Meaning there’s no one-size-fits-all information security policy template. As a general rule, however, an enterprise information security policy should touch upon nine key elements: purpose, audience, objectives, authority and access control, data classification, data support and operations, security awareness and training, personnel responsibilities, rights, and duties, plus references to the regulatory framework.

Always start with outlining the purpose of the information security policy, whether it’s to protect customer rights or the company’s reputation in terms of ethical and legal responsibilities. This way, your audience will have a clear idea of what the policy goal is and what it’s advocating for. In the same spirit, you should also clearly state to who the policy applies. A word to the wise: it’s also a good idea to describe to whom the policy doesn’t apply to avoid ambiguity.

Under security objectives, define the ultimate outcome that the policy is intended to bring about in the short, mid, and long run. Keep in mind that this vision, as well as the strategies used to realize it, must be agreed on by company management before they go into the policy document. Otherwise, you risk rendering the policy and your information security efforts meaningless. Not sure how to get started? Use the CIA triad as an information security policy framework to explain your goals and users’ roles and responsibilities in upholding them.

The access control policy addresses who decides what data can and can’t be shared, as per organizational hierarchies and regulatory requirements, with a special focus on sensitive information. This brings us to data classification, aka categorizing information based on the level of confidentiality and protection it requires. There’s no set-in-stone way to do this, but the four-level ISO 27001 information classification might be a good starting point. Next, describe how each type of data should be handled in terms of data protection, backup and encryption, and transmission.

Writing an ISP is only half the story. Organize training sessions on data protection protocols that focus on the most common cybersecurity threats, the company’s clean desk principles, the acceptable use of IT resources, and the steps to be taken in the event of a security breach. Pro tip: ask participants to take a short test at the end of each training topic to check if you’ve got your message across.

Next, define everyday staff duties in connection with network, device and data security, policy implementation, education as well as incident reporting and response. It’s best to provide real-life examples, so readers have a better understanding of what’s expected. Finally, refer to relevant legislation for more details, such as the General Data Protection Regulation in the EU, or the Health Insurance Portability and Accountability Act (HIPAA) in the US.

Bonus tip: don’t just make the rules

Make it easy for people to follow them. In a world where, according to Deloitte, the average cost of a data breach resulting from WFH can be $137,000, cyber safety should be a top-of-mind concern for businesses everywhere. But if complying with the rules gets in the way of getting work done, you can have textbook information security policy guidelines, and people will still find a way to work around them. This is where tools like Tresorit’s end-to-end encrypted cloud solution can make a real difference.

Tresorit has been designed to help businesses tighten up security, boost data-handling compliance, and keep collaboration hassle-free. Here’s how:

• Tresorit encrypts every file and relevant metadata on users’ devices using end-to-end encryption. Accessing files is only possible with a user’s unique decryption key that no one else, not even Tresorit, has knowledge of.
• We guarantee that your files’ contents can’t be modified without your knowledge, even if somebody hacks our systems, thanks to cryptographic authentication applied to all encrypted data in the form of HMAC or AEAD.
• Admins can monitor and decide which devices are allowed to access which files within the organization and from where users are allowed to log in to their company account to safeguard business-critical documents.
• Tresorit Business admins can apply policy templates, including 2-step verification, IP filtering, timeout policies, allowed devices, and sharing policies, to a set of users, create different policies for each template, and modify these policies at any time.
• Files and tresors can be controlled at a granular level, ensuring that they’re only accessible to those who need them. File downloads can be limited and access revoked at any time. Previous versions and deleted files can be restored quickly without data loss.
• Secure external collaboration with partners, especially in privacy-critical industries, such as law or healthcare, is vital. Tresorit allows you to create virtual data rooms where external collaborators can access highly sensitive content safely.

Learn more about how enterprises use Tresorit and reach out to our team today to get started.