How to create an effective security policy (and 4 templates to get you started)

Download our ebook that features templates for security policies on passwords, acceptable use, email, access control, BYOD and incident response.

security policy primary
Table of Contents
Show More

Anyone can go online and download a set of generic, cookie-cutter security policies. And while the adoption of those templates might enable an auditor or a compliance officer to check the box that says the organization has a security policy in place, it doesn’t do anything to make the company any less vulnerable to attack.

In order to implement a truly effective security policy, organizations should take a comprehensive approach that includes building support from upper management, making sure end users are on board and understand the importance of complying with security policies, providing continuous education, and enforcing policies in a serious way.

resume download template icon by panom73 getty panom73 / Getty Images

Log in or subscribe to Insider Pro to download our ebook on security policy templates. 

How-to advice and security policy templates

In other words, companies need to build an enterprise-wide security culture, which is easier said than done.

The first problem is that unless security policies are constantly reinforced through education, testing and periodic re-certification, many employees simply forget the rules. An even bigger problem is employees deliberately skirting strict security guidelines because the policies might be perceived as unnecessarily slowing them down or getting in the way of them doing their job. So, an end user might share their password with a contractor, for example, out of expediency.

[ Related: Cloud security: Inside the shared responsibility model ]

Shadow IT is another situation in which employees sidestep the normal IT procurement and security procedures and avail themselves of cloud-based productivity, storage and collaboration applications that IT isn’t even aware of.

In this environment, organizations need to take a thoughtful, measured approach to writing and implementing security policies that strike a balance between protecting the organization and not being so onerous that employees reject or ignore the policies.

How to develop a security policy

Developing a security policy starts with identifying a set of clear goals and objectives, defining the scope of the policy in terms of who should be covered, and pinpointing what data needs to be secured.

In order to build consensus, it’s important to be inclusive, to enable everyone who will be impacted by the policies to have a voice in defining them.

[ Security ebook: Guide to top security certification ]

Companies also need to understand the current state of their security defenses. For example, a vulnerability assessment or penetration testing exercise will establish where the holes are. An understanding of regulatory obligations is also important.

And organizations need to conduct an honest evaluation of their existing culture; are existing rules strictly enforced or are things typically lax. In other words, how likely is it that the organization will face significant pushback from employees if it tries to impose new prohibitions against practices that were previously allowed, like accessing social media sites during work hours.

Companies also need to make sure that security policies are written in clear, understandable language, not convoluted legalese. And the way that companies execute their security education programs needs to reflect the different ways that people learn. For example, instead of requiring that employees physically attend a classroom session conducted by an HR person or security professional, companies could provide online, self-directed learning experiences.

Once a company makes the decision to write a set of security policies, the next step is to prioritize, because there are literally scores of policy templates that cover everything from a “clean desk” policy to rules on how to retire old equipment to policies covering various types of disasters, including pandemics. Companies will want to identify the most critical pain points and avoid overwhelming employees with too many policies.

For most companies, the top six policies would cover password generation and protection, acceptable use of corporate resources, email and other electronic communications, access control, BYOD and incident response.

And keep in mind, these templates are just a framework. Each company needs to customize these templates to suit their unique requirements.

Download our how-to guide below. 

download icon insider pro green Vectorios2016 / Getty Images

Click to download Security Policy ebook