My thoughts on the 5 Best Practices for Developing a Security Policy

My thoughts on the 5 Best Practices for Developing a Security Policy

Security policies are the foundation of information security in an organization. A well drafted policy includes details with specific instruction to protect information and people within the organization. These policies range from computer usage guidelines for staff to the manner in which the network is monitored.

Larger corporations typically employ a CSO, Chief Security Officer, who manages and directs the physical security of a company. Their responsibilities are to protect all assets of a company including people, premises, and technology.

For small to medium sized businesses, who may not employ a CSO, where do we go? How do we craft and adopt a policy?

We all understand that security threats do exist. A security policy will help determine how to prevent and respond to these threats. In order to establish our own policies, let's review our strategy. Gartner puts the number of devices now belonging to the community of the IoT, over 6.4 billion. Where to begin?

Effective security policy is constructed and implemented to improve information availability, preserve integrity and protect confidentiality, from threats both inside and outside of the organization.

Identifying and implementing suitable controls requires careful planning and participation of all employees in the organization is also vital for the success of information security management.


To develop an enterprise-wide security policy, we need a thorough understanding of the organization. We have to consider the goals and direction of the organization. The policy that we are going to develop must also conform to existing policies, rules, regulations and laws that the organization is subject to.

Firstly, we need to appoint a person with enough status to own and implement the policy. This person will be your Information Security Officer. Now, before you are overly worried, this person may be a full time specialist but more commonly is an existing employee given this responsibility.

Getting the right set of people involved from the beginning is critical to the success of the project and acceptance of the policy. It is a joint effort by the technical personnel, process owner and decision makers who have the authority to enforce the policy. The right level of authority on policy decision is required to ensure that the policy is well written and supported as it affects all employees in the organization.


Identify Vulnerabilities and Threats and Review of Measures and Controls - Look at each threat and brainstorm about potential safeguards and controls as well as their associated cost. Also note the risk reduction of the threat if the safeguard and control is implemented. As suggested by the Harvard Business Review: Place a dollar amount to the risk.


All policies should have reasonable frequency for updates and should avoid being too restrictive and overly specific. For example, companies should consider developing a background section as a preface to the actual policy statement that would explain “why” the policy exists. Remember to develop a policy that you are willing and able to enforce. For example, if you develop a policy that states and employee personal use of the Internet is prohibited, that may be impossible to enforce. Consider instead, a policy that states that personal use of the Internet should be limited to breaks or lunch hours as long as it does not interfere with productivity and meeting deadlines and deliverable requirements. The premise behind each policy should be clearly connected to a specific objective.

Try to limit the policy from being overly specific. For example, to state that “all desktops will be put in production with a Windows 7 operating system.” As newer OS updates are available and implemented, then the policy would have to be updated for multiple versions of the OS in production. In addition, multiple policy statements on OS updates would be required. Instead, consider language such as: “all desktops will be deployed with a secure, standard operating system.”

Be certain to differentiate between policies, standards, and recommendations. Policies are a legal statement and are high level. Standards flush out the more exact specifications required to comply with the policy. Recommendations would then be more flexible so long as they are consistent with standards and most importantly the policy.

And for the love of Pete, please be sure your legal department, team, or consultant is involved. Security policies are becoming increasingly important to protect your organization from damage and potential or actual loss. Intellectual property and trade secrets can be easily compromised and disseminated at the stroke of a key.

NOTE: If you have employees who work remotely, it is much more difficult to monitor compliance, so take careful consideration of language and policy concerning remote users.


Even the most outstanding policy might be worthless for the following reasons:

  • Your employees never see them
  • Your employees do not know how to find them
  • Your employees only see them once during onboarding or new hire orientation
  • The language of the policy is too specific and technical and far too complicated
  • You never required acknowledgement of the policy.

Be sure to require acknowledgement of the policy during security awareness training. The concept to a healthy policy and effective execution is to keep it FRESH! Continue to raise awareness with annual training. This could be a simple quiz you require to be completed and passed annually, or more frequently for sensitive areas.


Once you have created this amazingly lovely and special policy document with your blood sweat and tears and significant budget allocation, how often do you reassess it and how do you enforce it? There are tools which allow the policy to be viewed within the company intranet. This allows for tracking of updates and quizzes for compliance etc. Other companies will specialize in security policy review and audit.

One way for leadership to be involved and more invested in the process is to have executive your leadership/management team meet annually to review the policy and update or eliminate any outdated segments.

If you are looking for a place to begin, a more boiler plate solution, testing policy and services, monitoring services, or perhaps a sympathetic ear for your policy and planning woes - look no further than your friends at Velocity Tech Solutions. We will help you through this.

We listen. We Support. We Deliver.