Information Security Policies – What Should Be Addressed?

Posted: August 25, 2016

Information Security Policies – What Should Be Addressed?Have you given much thought as to what should be included in your company’s Information Security policies?
Now, that question may have you worried. Everyone knows that to be compliant with a given standard (e.g. PCI or HIPAA) or to implement a comprehensive cyber security program, the company must maintain a set of Information Security policies. The policies, as well as the associated processes, need to be reviewed and updated at least annually. However, a bigger question may be what do these policies need to address?

Let’s start at the beginning.
The first thing I want to know is what type of information you will be processing, storing, and/or transmitting. Information comes in many varieties including, but not limited to, Credit Card Data, Protected Health information (PHI), and Personally Identifiable Information (PII). We will refer to this as “Sensitive Information.” When security of sensitive information is of major importance to a company, the company needs to establish the rules and guidelines used to protect the sensitive information they process and retain.

But really, where do I start?
That’s easy! Start at the beginning by establishing a secure sensitive information environment that includes both physical and logical security. While these two items may seem simple, there is a great deal involved with them both.

Physical security addresses the following:

  • The facility where sensitive information is located or accessed
  • Who has access to the facility
  • How is access controlled and monitored
  • The processes when access is terminated
  • The physical security of devices located in the facility (i.e. be any device connected to or used in the processing of the sensitive information)

Lastly, storage media also must be secured by identifying who has access to the media, where it is stored, and tracking where that media is at all times.

On the other hand, Logical Security addresses how information is accessed, who has access to the information, how access is controlled and monitored, and the processes when access is terminated. Logical security includes how individual user IDs are created and managed, the level of access a user is provided, and of course passwords.

What about information handling?
It is imperative to develop policies and procedures specific to how the sensitive information is received, stored, processed, and transmitted. Specifically, policies and procedures will need to address:

  • What information is stored
  • How information is used
  • How long information is retained
  • How information is disposed of at the end of its lifecycle.

The encryption of sensitive information, a requirement of many of the standards, will need to be addressed as well as the management of the encryption keys. Detailed backup guidelines need to be defined that includes when backup processes are executed, how they are verified, where the backup files are located, who has access to the backup files, how long are they retained, and how they are disposed of.

What to do when bad things happen?
Even with all of your planning and security implemented, bad things can happen. These bad things are referred to as “Incidents.” You will need a policy and detailed processes on how to respond to these incidents. A proactive approach to dealing with potential bad things (Incidents) is to perform Risk Assessments. An assessment should identify your critical assets, potential threats and vulnerabilities to the assets, and an evaluation of the controls implemented to address the threats.

Summarizing all of this.
Information Security policies and the associated supporting processes need to address how sensitive information is protected and managed as well as the environment where the information is processed, stored, and transmitted. Access to sensitive information must be restricted to only the personnel that require access to perform their job tasks. The requirements related to a standard must be addressed to be compliant.

Many companies find that they need to comply with multiple standards, for example medical facilities that also process credit card information. In an upcoming blog, I will provide more details on combining and overlapping requirements in your information security policies.

In the meantime, if you have any questions or need assistance with any policy or procedure development, please feel free to reach out to us at

Donald Heisch

Author: Donald Heisch

Donald Heisch is an Information Security Consultant at CompliancePoint and has over 40 years of experience in information security and technology. Donald’s focus is on information security policy development for client’s compliance with the Payment Card Industry (PCI), the Health Insurance Portability and Accountability Act (HIPAA), and the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

Leave a Reply

Your email address will not be published. Required fields are marked *

Reduce risk, maintain a compliant posture, and protect info