Information Security Policies – Part 1

Information technology and security policies can mean a lot of different things. As discussed in former articles, the most recent being Risk Analysis is Cool, there are many steps that need to be taken to protect your information. In this article, we take our first look at some security policies to start with.

When dealing with risks and security to your organization, one of the most common ways to reduce the impact of a potential incident is to employ policies that are designed to ensure work is performed in such a way that information is kept safe from compromise. This applies to not only IT systems, but to all aspects of business systems and processes. Here, we will be discussing non-IT areas in which security policy may be useful, and considerations made for each area.

Physical Security Policies

Physical security policies will detail the protections made for your office and working areas, plus any surrounding areas worth protecting. A robust physical security program should include details such as how to securely store hard copies of information, sensitive areas and how they are to be protected, protections against intruders and unauthorized personnel, security camera placement, and similar considerations.

Human Resources Security

Policies for human resources generally consider how to ensure the organization is properly screening potential hires, and ensuring proper legal protections are in place to ensure that after the termination of employment, a former employee is not allowed to disclose information learned over the course of their employment without legal repercussions. Additionally, an HR policy will generally include details on how to properly transition an employee from one organizational role to another, and disciplinary action in the case of information disclosure or policy violation.


A robust compliance policy is critical to ensure that all relevant laws, industry directives, and contractual obligations are being met by the organization. This often includes retention of meta records such as IT system audit logs in the event of a security incident and proof that laws surrounding personally identifiable information (PII) and intellectual property are being followed properly. Lax compliance policies may lead to extremely painful legal troubles in the event of an incident going to court.

Vendor & Third-Party Security

If you do a great deal of business with third parties or have IT service vendors, it is generally a good idea to have a policy that outlines how these vendors are to be chosen, the audit requirements your organization has to ensure their security is robust, and how to review them and verify they continue to meet your business needs.

Access Control

An access control policy may be used to specify how your organization grants access to information in such a way as to ensure personnel has the exact level of access, they need to do their jobs sufficiently, no more or no less. There are many schemes possible for user access – role-based, rule-based, discretionary, and so on. This policy may also detail how to manage those user access groups and how to ensure users are properly added and removed from these groups when needed.

In conclusion, there are many ways to protect your company and its information. Not all areas deal directly with Information technology. As discussed there are many other areas that a business owner or manager must think about when writing security policies. Paying attention to all of these areas will continue to improve your security posture. Ultimately helping protect the information that is so vital to the business. Keep buttoning things up as there is more to come with your information security.


In our next post, we will talk about potential policies written to address risks involving IT systems.

Like this article?

Share on facebook
Share on Facebook
Share on twitter
Share on Twitter
Share on linkedin
Share on Linkdin
Share on pinterest
Share on Pinterest