Multi-dimensional enterprise-wide security: The goal of an information security policy

Learn how to protect information assets and resources within all areas of the enterprise and in compliance with all regulatory, policy and contractual requirements.

This tip is excerpted from Chapter 3 of The Definitive Guide to Security Inside the Perimeter, written by Rebecca Herold and published by Read the entire e-book for free.

An information security policy documents executive management's direction on, and commitment to, information security. To be effective, you must communicate the security policy to everyone within your enterprise that handles your information or uses your systems.

An effective information security policy will...

  • Include a statement of direction from executive management supporting the goals and principles of information security.

  • Communicate the business risks associated with information security incidents and accidents.

  • Document information security, responsibilities and the high-level principles personnel must observe.

  • Specify key activities that must occur within the organization, such as carrying out security classifications and risk analyses, safeguarding important records and reporting suspected security weaknesses.

  • Require information to be protected in terms of its requirements for availability, integrity and confidentiality.

  • Emphasize the need for compliance with software licenses and other legal, regulatory and contractual obligations.

  • Prohibit unauthorized or personal use of the organization's information and systems and the use of obscene, racist or otherwise offensive statements (for example, via e-mail or over the Internet).

  • Document that disciplinary action will be taken against individuals who violate policy requirements.


      Protection strategies
      Risk assessment and analysis methodologies
      Define risks
      The goal of an information security policy
      Due diligence
      Corporate reputation
      Audit and validation
      Simplifying complexity
      Divide and conquer
      An action plan

    Rebecca Herold is currently an information privacy, security and compliance consultant, author and instructor with her own company, Rebecca Herold, LLC. Rebecca has provided information security, privacy and regulatory services to organizations from a wide range of industries. She has over 15 years of information privacy, security and compliance experience. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the 1998 CSI Information Security Program of the Year Award.
  • This was last published in January 2006

    Dig Deeper on Information security policies, procedures and guidelines