IT Toolkit: By James Stapleton

The objectives if an IT security policy are the preservation of confidentiality, integrity, and availability of systems and information used by an organization’s members. These three principles compose the CIA triad: Confidentiality involves the protection of assets from unauthorized entities, integrity ensures the modification of assets is handled in a specified and authorized manner, and availability being a state of the system in which authorized users have continuous access to said assets.

The IT Security Policy is a living document that is continually updated to adapt with evolving business and IT requirements. Institutions such as the International Organization of Standardization (ISO) and the U.S. National Institute of Standards and Technology (NIST) have published standards and best practices for security policy formation. As stipulated by the National Research Council, the specifications of any company policy should address:

1. Objectives

2. Scope

3. Specific goals

4. Responsibilities for compliance and actions to be taken in the event of noncompliance.

Also mandatory for every IT security policy are sections dedicated to the adherence to regulations that govern the organization’s industry. Common examples of this include the PCI Data Security Standard and the Basel Accords worldwide, or the Dodd-Frank Wall Street Reform, the Consumer Protection Act, the Health Insurance Portability and Accountability Act, and the Financial Industry Regulatory Authority in the United States. Many of these regulatory entities require a written IT security policy themselves.

An organization’s security policy will play a large role in its decisions and direction, but it should not alter its strategy or mission. Therefore, it is important to write a policy that is drawn from the organization’s existing cultural and structural framework to support the continuity of good productivity and innovation, and not as a generic policy that impedes the organization and its people from meeting its mission and goals.

   -What Is an IT Security Policy?