Skip to content

May 28, 2019 | Paul Mazzucco

3 Ingredients for an Effective IT Security Policy

What is an IT security policy?

An Information Technology (or IT) policy should mandate a foundation of information and security posture throughout the organization. The policy will guide the business to a better IT security and data protection culture. 

Two roles of an IT security policy

An IT security policy has two main roles. First, an IT security policy applies security to the needs of the business. The policy should support the business goals of the company’s executives. 

The second role of an IT security policy is to guide employees in helping the business be secure. When end-users understand and follow the company’s security policy, they can help prevent data breaches, downtime impacting key systems, and data loss. 

IT security policies need a security-first culture

A culture that puts security first must be infused throughout the organization, not treated as an add-on document. Building an IT security policy and security culture starts from the top. It includes business goals, industry, and government regulations, and security risks specific to your organization. 

The CIA triad can help guide your IT security policies. It requires the addition of a rigorous IT security program that promotes defense-in-depth and technology-based controls. The three components of the triad are: 

  • Confidentiality: Limit information access and disclosure to authorized users. 
  • Integrity: Monitor data sources and ensure only appropriate changes to the data are allowed. 
  • Availability: Ensure systems and data security measures do not hinder authorized individuals from accessing information. 

For IT security controls, I recommend the NIST Special Publication 800 series, which provides specific guidance for information systems security. 

Create an IT security policy with guidelines

An IT security policy can help your employees contribute to IT security in many ways every day. If it’s not a mandate, it doesn’t belong in your IT security policy. 

Your IT security policy and procedures must be understandable and enforceable. Be brief. Provide clear expectations. Be sure they can and will be enforced – ideally through IT security controls and monitoring technology. 

Consider your business and the security threats it faces when laying out the contents of your IT security policy. The following are components that may apply to your business and its IT security policy. Some of these areas, such as patch management, may be delegated to sub-policies managed at a sub-organizational level: 

  • Types of critical (and confidential) data, access control, and data encryption 
  • Use of third-party cloud storage 
  • Data retention, backups, and disaster recovery 
  • Building access and other physical IT security 
  • Workstation and device security, and data encryption
  • Acceptable use policy 
  • Remote work and use of mobile devices 
  • Security incident response and reporting 
  • Authorized software 
  • Change management, including software updates
  • Password security 
  • Email use, malicious links, and attachments 
  • Threat management, such as virus protection and intrusion detection 
  • Exception handling 
  • Consequences of non-compliance and penalties for violations 
  • Audit and third-party review requirements
  • Employee training requirements 
  • Communication plan to engage staff to achieve awareness and adherence to the IT security policy. 

InfoSec provides helpful information in its Key Elements of an Information Security Policy. 

7 best practices to implement your IT security policy

An IT security policy can’t stop with a paper-based plan. It must be enforceable, preferably with technology-based controls. I recommend these seven actions to ensure your IT security policy is fully implemented and enforceable. 

1. Push security to the edge

You don’t want the enemy at your front door. Today, network security with a defense-in-depth model starts with monitoring and mitigating threats at the edge of your network. AI and machine learning can help teach employees about security incidents in a way that is clearer than paper-based training. In addition, correlation and regression testing can identify activity and incidents that a security professional might miss. 

2. Put controls in place

Prevent employees from violating your IT security policy by never allowing access to critical data. Especially, if the employee doesn’t need access to that data to do their job. 

3. Rule through technology

Ensure security by design across your entire infrastructure using technology that it is not adjusted by employees. 

4. Inspect what you expect

Monitor data access, such that if critical data is accidentally or maliciously accessed, you log and alert on the event and have a record of the IP address that tried to access the data. 

5. Hire a third party to audit your IT security implementation

Bring in third-party experts to ensure your organization’s compliance with relevant mandates, like: 

  • SOC 1 
  • HIPAA 
  • NIST 800-53 
  • NERC 
  • GDPR 

6. Monitor industry trends

Keep an eye on where the industry is moving. Your organization may need to make changes in order to respond to customer requirements and changing standards for compliance. For example, HIPAA is getting replaced by HI-TRUST, which requires a more granular level of IT security testing. 

7. Promote continuous improvement

Actively seek to find security flaws in your organization and close them. This continuous improvement work will help make your organization’s IT security smarter and better. Make your IT security policy a living document and update the policy and employee training at least every year. 

We help clients with IT security

As a leading data center and managed services provider, we assist our clients with compliance requirements for their governance, audits, and security controls. Learn more about our Security & Compliance products. 

Strategic Guide to IT Security

Subscribe to the TierPoint blog

We’ll send you a link to new blog posts whenever we publish, usually once a week.