What is an IT Security Policy?

An IT Security policy is a set of documented standards and procedures an organisation will follow in the event of a security breach. An IT security policy is an extremely important part of a company’s defence against cyber threats. It is a resource for employees and employers that covers the entire capacity of IT related activities in the business.

The main policy and any documentation that supports it, should be continuously revised to ensure it is up to date with current regulations and guidelines. This guide is a brief overview of what should be included in an IT security policy.

What Is An IT Security Policy For? An IT security policy outlines the standard of how IT is used in a business, how it should be used (i.e. best practice), how to mitigate risks, and what to do when something goes wrong. It should be linked to employee training and be accessible for people to read and understand. IT security policies are for keeping company and customer data safe, education and disaster response assistance. The Information Commissioner Office (ICO) requires organisations to include an IT security policy as part of their GDPR compliance. The ICO state that any measures put in place by organisations must ensure the “confidentiality, integrity and availability” of systems, services and any personal data that is processed through them. This data is referring to your employees and customers; anyone whose personal data you process.

What Should Be Included In An IT Security Policy? Depending on the size and type of the business, an IT security policy could be quite simple or very complex. Scope Scope explains what the IT security policy covers. This includes what activities are to be expected as part of the business operations, and who it applies to. Access Rights and Responsibilities An IT security policy should detail the different levels of authorisation and access across the company. Being clear on who is responsible for what means there will not be confusion later down the line. In this section, explain the chain of command, access, authorisation, and people, including contact details and what they are responsible for.

Company Values and Objectives This section is for marrying the importance of IT security to the company business and social goals. It is where a company demonstrates their commitment to IT security and reassures consumers why their data is safe with that company. This isn’t a section for all of the company values and goals to be listed, just the ones that are relevant to IT security.

Information Classification An IT security policy should explain how the company data and information is classified and organised. It could include the names or levels of people who have access to it. If it isn’t already included in a GDPR or Privacy Policy, this is the best place for the retention of data to be laid out. Retention refers to how long information is kept.

Training and Compliance The success of an IT security policy relies on the competence of the people at the organisation. Employees need to understand their responsibilities and that of others. Training on what makes a safe password, how to identify compliance issues and who to report them to are paramount. A well written IT security policy is not going to be effective if the staff do not understand why it has been written, what it all means, and what the consequences of inappropriate usage are. It is in this you can add the rules around employees using their own devices for work (known as a Bring Your Own Device policy), using company devices and expectations for using devices outside of working.

Operations and Security Management In this section, detail the daily and long-term activities that are IT related such as how IT is used and implemented in the business. This is where details of the programmes, software and hardware are shared. Also included in this section can be the protocol for running updates, back-up and encryptions.

Incident Management Incident management refers to the procedures in place to handle a security breach such as a cyber attack. Everyone in the business is responsible for spotting and reacting to a cyber incident according to the procedure, so it should be clearly written and accessible to all. As part of the incident management, an IT security policy could include a disaster recovery process. Disaster recovery outlines the process of what needs to happen to get the business back on track in the event of a disaster (cyber or physical). Depending on the size and type of a business, IT security policies can vary. They can be extremely detailed or more of an overview. An approach to writing an IT security policy should start with conducting risk assessments and getting buy-in from all stakeholders. It can be a complex and time-consuming task which is why it is a service provided by the team at PCR Connected. Reach out to us for advice or to discuss your needs.


What is an IT Security Policy?