A brief introduction to the Information Security Policy By Babby Boss Information holds a prime position in the assets list

of any modern organization, and the Information Security Policy document is the bible of professionals tasked with the responsibility of information protection. The information security policy sets the tone of efforts to manage information security activities, and a good policy should have paragraphs depicting minimum following points written in comprehensible manner. Definition of information security, and its linkage with the business growth, security, and continuity; Managements intention for sincere treatment of information security efforts; Scope of information security activities; Support to establish structure for risk assessment, controls, and risk treatment; Mechanism to ensure compliance with applicable laws, regulations, and requirements; Awareness, training, and education requirements to upgrade organizational workforce to next level; Stress on information security responsibilities of all concerned users; Organizational views to treat non-compliance of information security policy; and Pointers to supplemental documents directing information security management efforts.

Theoretically, an information security policy is drafted in such a manner that its contents are valid for a sufficiently long period of time. However, with the ever changing business environment, there is constant need to review the policy. Therefore, the designated owner should thoroughly review the information security policy at least once a year, or as and when significant changes are introduced to the organizational environment, industry situations, legal conditions, and technological environment. The revised information security policy should reflect the information protection need of the hour before it is approved, communicated, and enforced.