Creating Well-Defined Information Security Policies

Posted: December 7, 2016

Creating Well Defined Information Security PoliciesIn a previous post, we addressed the critical elements to address in information security policies. Now, let’s consider an effective approach to creating well-defined policies.

The creation of well-defined information security policies is not a “one size fits all” process. Not every company has the same type of information or processes. The journey to create policies and processes should be unique to your organization’s environment.

Information security policies should be based on an industry-accepted system configuration or hardening standard. For example, consider National Institute of Standards Technology (NIST), SysAdmin Audit Network Security (SANS) Institute, or the International Organization for Standardization (ISO).

Both the Payment Card Industry (PCI) and the Health Insurance Portability and Accountability Act (HIPAA) reference NIST standards. Thus, let’s focus on the NIST standards as they apply to privacy and security controls. More specifically, let’s focus on the NIST Special Publication SP 800-53 as this section focuses on helping organizations protect assets, individuals, and other organizations from a diverse set of threats (i.e. hostile cyber-attacks, natural disasters, structural failures, and human errors).

“What is the difference between a best practice and a requirement?”

A requirement is something that you need to meet in order to be compliant with the standard, for example PCI or HIPAA.

A best practice is the process used to meet the requirement. However, just because you have developed a process to meet the requirement does not make it a best practice. It is actually more detailed than that. The developed process should be based on a best practice, for example a NIST control.

Using media destruction as an example (also referred to as media sanitization), the requirement might be something like “Destroy media when no longer needed.” A best practice process would be based on the NIST Media Protection (MP-6) control and would include steps to review, approve, track, document and verify the destruction.

Your next question may be “Where do I start?”

Simply, start with a good foundation. As you begin your journey to create your Information Security Policies, start with a basic industry-accepted standard. Review the requirements and regulations (HIPAA, PCI, etc.) to be addressed for data privacy, retention and destruction, financial accountability and for recovery from disasters. Identify the security or privacy control mapped to the requirement. Using that information, create a well-defined policy statement and a best practice process.

If you have any questions or need assistance with your policy or procedure development, please feel free to reach out to us at

Donald Heisch

Author: Donald Heisch

Donald Heisch is an Information Security Consultant at CompliancePoint and has over 40 years of experience in information security and technology. Donald’s focus is on information security policy development for client’s compliance with the Payment Card Industry (PCI), the Health Insurance Portability and Accountability Act (HIPAA), and the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

Leave a Reply

Your email address will not be published. Required fields are marked *

Reduce risk, maintain a compliant posture, and protect info