An Information Technology (IT) Security Policy identifies the rules and procedures for all individuals accessing and using an organization's IT assets and resources. Effective IT Security Policy is a model of the organization’s culture, in which rules and procedures are driven from its employees' approach to their information and work. Thus, an effective IT security policy is a unique document for each organization, cultivated from its people’s perspectives on risk tolerance, how they see and value their information, and the resulting availability that they maintain of that information. For this reason, many companies will find a boilerplate IT security policy inappropriate due to its lack of consideration for how the organization’s people actually use and share information among themselves and to the public.
The objectives if an IT security policy are the preservation of confidentiality, integrity, and availability of systems and information used by an organization’s members. These three principles compose the CIA triad: Confidentiality involves the protection of assets from unauthorized entities, integrity ensures the modification of assets is handled in a specified and authorized manner, and availability being a state of the system in which authorized users have continuous access to said assets.
The IT Security Policy is a living document that is continually updated to adapt with evolving business and IT requirements. Institutions such as the International Organization of Standardization (ISO) and the U.S. National Institute of Standards and Technology (NIST) have published standards and best practices for security policy formation. As stipulated by the National Research Council, the specifications of any company policy should address:
Also mandatory for every IT security policy are sections dedicated to the adherence to regulations that govern the organization’s industry. Common examples of this include the PCI Data Security Standard and the Basel Accords worldwide, or the Dodd-Frank Wall Street Reform, the Consumer Protection Act, the Health Insurance Portability and Accountability Act, and the Financial Industry Regulatory Authority in the United States. Many of these regulatory entities require a written IT security policy themselves.
An organization’s security policy will play a large role in its decisions and direction, but it should not alter its strategy or mission. Therefore, it is important to write a policy that is drawn from the organization’s existing cultural and structural framework to support the continuity of good productivity and innovation, and not as a generic policy that impedes the organization and its people from meeting its mission and goals.