Why do you need a security or privacy policy?

The list of reasons, goes on and on, so it is difficult to give a comprehensive answer. The answer to that question may also be different from organization to organization. Below is the list of some of the main reasons we see:

  • It is the key driver of your security and privacy strategy
  • It ensures a consistent interpretation of security and the related risks across the organization
  • It provides the different target audiences with a translation of that strategy into requirements they can understand and implement
  • It reduces risk exposure and legal liability
  • It fulfils compliance (e.g. GDPR, HIPAA, SOX, PCI DSS, GxP) and audit requirements
  • It helps to embed security and privacy by design, and therefore avoids costly remediation exercises later on
  • It can increase productivity and efficiency (e.g. via smarter control execution)
  • It allows you to explore new technologies and horizons in a more confident manner – using an analogy: you can only drive fast if you know you can rely on your brakes
Structuring your policy framework is key

Your policy is never a single document, it is a set of documents with different levels of detail and different target audiences. As such, a policy is more a framework of documents than a single document in itself.

Typically (but not necessarily), a policy framework will consist of three layers. As illustrated here.

The third layer also sometimes includes procedures as well. Though these procedures preferably sit in an operational process documentation framework.

A clear structure for your policy is paramount. Without structure your policy becomes a set of disconnected, unmanaged documents that may be difficult to find and which will contain many gaps, overlaps and discrepancies in terms of their requirements. Furthermore, their timely revision or even retirement is not managed.

A clear and organised framework …

  • Allows for structure
  • Avoids cluttered unclear set of requirement documents
  • Avoids overlaps, gaps and contradictions
  • Ensures proper document management and lifecycle (ownership, review, endorsement, communication, publication, change control, retirement, etc.)

In fact you should make it clear rule that all documents providing security requirements or guidance must be fitted into the framework. If needed, adjust the framework to allow for new types of documents and content
Don’t allow stand-alone documents.

Structuring your security policy

As indicated in the About Policies tab, it is important to structure your policy framework. For security policies, the below is a good example of how you can structure your policy framework.

The documents available on securitythisway.com will be grouped per this framework. However, if needed they can be easily adjusted to fit any other framework you may have.

Key success factors

The presentation below illustrates how a security policy fits into the broader policy landscape of an organisation. It also highlights how structure, alignment and restricting your scope to requirements (and not elaborating into defining processes) are key success factors for an effective policy.

Policy documents available

The below list provides an overview of the current policy documents available. Contact us if you can’t find what you are looking for. Likely we already have a version in draft but did not find the time to add it here.

  • Security Policy
  • Security Policy Foreword (executive endorsement)
  • Records Management Policy
  • Classification
  • Information Risk Management
  • Third party information risk management
  • Access Management
  • Access Control (identification, authentication, authorization)
  • Minimum information risk and security requirement for IT governance processes
  • IT Continuity and Disaster Recovery
  • Physical security of computer rooms and data centers
  • Physical security of archive rooms
  • General information handling
    • This is a general, over arching acceptable use policy, introducing confidentiality classification and privacy data protection, and subsequently giving the highlights of how to protect information in all its forms (e.g. spoken, paper documents, electronic files, etc.) and in all stages of the Information life cycle – e.g. create, store, share, dispose, etc.)
  • Call and conferencing solutions
    • This acceptable use policy covers the acceptable use of electronic file storage and file sharing solutions, including your end-user devices, network file shares / network drives, SharePoint, Cloud services. The policy covers both the generic requirements as the solutions specific requirements (including any limitations).
  • Digital storage and file sharing
    • This acceptable use baseline covers the acceptable use of call and conferencing solutions. This includes calling, audio and video conferencing via mobile phone, landline phone, soft phones, collaboration suites (e.g. Skype), web conference solutions, mobile apps, etc. 
  • (including cloud, SharePoint, file server, etc)
  • E-mail
  • End-user device (PC, tablet, smart phone or similar)
  • Internet
  • Messaging
    • This acceptable use policy covers both mobile and desktop messaging in all its forms
  • Passwords and access credentials
  • Phone / Mobile Phone
  • Remote access
  • Removable Media (USB flash drive, portable hard drive, CD, etc.)
  • Electronic signatures
  • Social Media – External
  • Social Media – Internal
  • Travel
    • This acceptable use policy covers security practices for those who travel, however it also includes guidance for people commuting from and to your sites via public transport. It describes the information security risks, and provides an overview of the measures to take before, during after travel or commute. This to protect valuable information from being disclosed (seen, overheard), stolen or misused during your commuting, business travel and remote working.
  • Photography, and audio and video recording
    • This acceptable use policy covers the requirements and restrictions related to recording – this includes photography, audio recording and video recording (or similar).
  • Encryption
  • Two-factor authentication
  • FAQ
  • Glossary
Other related content

Additional related content can be found in other content sections. Click on the links to access them.

What about IT Security Baselines?

securitythisway.com does not offer IT security baselines. The in depth, technical aspects of IT and cyber security are out of scope. We leave that to others who are far better at it, and instead we focus on what we are good at; the strategic, governance, managerial and policy related aspects of information security.

A great reference for IT security baselines is CIS, the Center of Information Security. Its security benchmarks are a great starting point for defining the minimum security baseline of the technologies you deploy.

The importance of a data protection or privacy policy

Whether it is GDPR, HIPAA, country or state privacy laws, as soon as personal information is involved you will have to comply with one (or even several) data protection and privacy laws or regulations. These may differ in scope and severity, but they all share common elements and govern the collection, management, security and sharing of personal information.

Failure to comply with data privacy laws and regulations goes far beyond the risk of fines from data protection authorities. It may also cause one or more of the following:

  • severe negative media attention and reputational damage
  • class-action litigations and civil or even criminal penalties
  • operational losses or delays due to suspension or termination of key data transfers

A privacy policy is not only mandatory by many privacy laws and regulations it also represents a first step toward enhancing and organisation’s data protection practices;  the development and implementation of a precise, yet enforceable privacy policy will inform staff of the various aspects of their responsibilities in terms of data protection and explains how personal information must be handled in a secure and compliant manner.

Aligning with the security policy

Once personal information is being collected, or processed, data privacy is for a large part about the confidentiality of that data. In that sense it strongly overlaps with information security. The controls and requirements about protecting personal information are no different than those for other types of confidential information.

An effective and efficient privacy policy framework therefore strongly aligns with the security policy framework. E.g. privacy incidents are also security incidents, hence there is no need to put in place two separate incident processes. Failure to align and integrate where needed, will result in confusion, non-compliance, overly redundant and bureaucratic processes and inefficient use of resources.

Policy documents available

The below list provides an overview of the current policy documents available. Contact us if you can’t find what you are looking for. Likely we already have a version in draft but did not find the time to add it here.

  • Privacy policy
  • Privacy Guideline on cross border data flows
  • Privacy Guideline on data transfers to third parties
  • Privacy Guideline for the setting up and managing databases containing personal information
  • Privacy Guideline on data breaches
  • Privacy Guideline on anonymising personal information
  • Policy FAQ
  • Glossary
Other related content

Additional related content can be found in other content sections. Click on the links to access them.