Why Are Information Security Policies Important?

Your greatest weakness is not your security technology—it is the people you work with every day. Each member of your organization is a hacker’s potential access point to sensitive information in your company. And, conversely, each member of your organization could potentially become an internal hacker. Information security policies define acceptable and unacceptable behavior for handling information and thus help ensure that information is not accidentally leaked, compromised, or destroyed.

You might find our assertion to be a bit paranoid, because you likely know and trust many people in your organization. However, abuse of company resources does occur, even in smaller firms. For example, one individual we know is a consultant for a small company with roughly 35 employees. One employee was discovered to be running his own online used car sales company from his workstation as well as his own Web site, using the firm’s e-mail address for his own purposes. Security policies can curtail this type of activity. By the way, this firm implemented a new security policy stating that use of the company’s computers for personal or side businesses was strictly prohibited. This action stopped one other employee from engaging in an online trading business over the lunch hour.

The process of outlining security policies forces management to define how much risk they are willing to accept relative to their most critical information assets. Specifically, it answers these questions:

• What is the most critical information?

• Where does this critical information reside?

• Who will be able to access this information?

• What are the costs to the organization if the information is compromised or destroyed?

• What measures will the company take to ensure the information’s privacy and integrity?

Explicit information security policies assure the purchase and implementation of the proper security technologies. Failure to establish an adequate organizational infrastructure for information security can lead to costly mistakes—in terms of money, time, and unexpected vulnerability. Your organization must document the following thoroughly: who assumes responsibility for certain actions, policies, standards, operational procedures, enforcement mechanisms, risk analysis, the security incident response team, the information security budget, and the planning team.

One other very important reason to implement information security policies is the growing body of case law that essentially says management and sometimes technical staff can be held liable for inadequately addressing information security matters. The basis of such liability can be negligence, breach of fiduciary duty, failing to use the same security measures found in other organizations in the same industry, failing to exercise due care, or failure to act after a real notice has occurred. Be sure to speak with your legal counsel about the level of exposure you currently have regarding the security in your organization.