BR +55 11 3069 3925 | USA +1 469 620 7643

  • BLOG
  • Português
  • BR +55 11 3069 3925 | USA +1 469 620 7643
  • Português
logo senhasegura
  • SOLUTIONS
  • PRODUCTS
  • SERVICES AND SUPPORT
  • PARTNERS
  • COMPANY
  • CONTACT
  • DEMO

Compliance

and Audit

Audit

PCI DSS

SOX

ISO 27001

HIPAA

NIST

GDPR

ISA 62443 |

Industry 4.0

Security and

Risk Management

Privilege Abuse

Third Party Access

Privileged Access Recording

Insider Threat

Data Theft Prevention

Hardcoded Passwords

Password Reset

Solutions

By Industry

Energy and Utilities

Financial

Government

Health Care

Legal

Telecoms

Retail

senhasegura

Testimonials

See Testimonials

360º Privilege Platform

Account and

Session

PAM Core

Domum

Remote Access

MySafe

GO Endpoint

Manager

GO Endpoint

Manager Windows

GO Endpoint

Manager Linux

DevOps Secret

Manager

DevOps Secret

Manager

Multi

Cloud

Cloud IAM

Cloud Entitlements

Certificate

Manager

Certificate

Manager

Privileged

Infrastructure

PAM Crypto Appliance

PAM Load Balancer

Delivery : On Cloud (SaaS) | On-premises | Hybrid

Services

and Support

Documentation

Solution Center

Suggestions

Training and Certification

Deployment and Consulting

PAMaturity

PAM 360º

Support Policy

senhasegura

Resources

Rich Materials

Customer Cases

Webinars Calendar

senhasegura Stickers

BLOG

CONTENT

Is your company really prepared for a cyber attack?

The Pillars of Information Security

7 signs that your company needs to improve the security of sensitive data

See more articles about cybersecurity

Technical

Information

How it works

Product Archicture

Integration

Security

High availability and contingency

Privileged Auditing (Configuration)

Privileged Change Audit

Features and

Functionalities

ITSM Integration

Behavior Analysis

Threat Analysis

Privileged Information Protection

Scan Discovery

Task Management

Session Management (PSM)

Application Identity (AAPM)

SSH Key Management

Affinity Partner

Program

About the Program

Become a Partner

MSSP Affinity Partner Program

Security Alliance Program

Academy | E-learning for Certification

Affinity

Portal

Portal dedicated only for Partners to find commercial, marketing supporting materials and certification program of senhasegura.

Access Partner Portal

Opportunity

Booking

For our Commercial Team to support your sale more effectively, request your opportunity booking here.

Opportunity Booking Request

Find a

Partner

We work together to offer a better solution for your company.

Check all senhasegura partners

About

Company

About us

Achievements

Why senhasegura

Press Release

Press Room

Events

Career

Presence in the World

Terms of Use

End User License Agreement (EULA)

Privacy and Cookie Policy

Information Security Policy

Certification at senhasegura

senhasegura

Testimonials

See Testimonials

Latest Reports

and Awards

KuppingerCole Leadership Compass Report for PAM 2023

Frost & Sullivan Customer Value Leadership Award 2022

Gartner PAM Magic Quadrant 2021 Report

KuppingerCole Leadership Compass: PAM 2021

GigaOm Radar Report 2021

Gartner PAM Magic Quadrant 2020

Gartner Critical Capabilities for PAM 2020

Information Services Group, Inc. (ISG)

KuppingerCole Leadership Compass: PAM 2020

Contact our team

Request a Demonstration

How to create an information security policy in your company?

by senhasegura Blog Team | May 3, 2019 | BLOG

The evolution of computer networks has made information sharing increasingly prevalent. Information is now exchanged at a rate of trillions of bytes per millisecond, a daily number that can extend beyond the comprehension or available nomenclature. A proportion of this data is not intended for sharing beyond a limited group, and many data is protected by law or intellectual property.

The  Information Security Policy is a set of rules enacted by an organization to ensure that all users or networks of the IT structure in the company’s domain comply with the requirements regarding the security of digitally stored data within the limits in which the company has authority.

A policy can be as broad as its creators want: Basically, everything from A to Z in terms of IT security, and even more. For this reason, in this article we list some key elements of a policy, however, each organization must decide what to include, according to the characteristics of their business.

1 – Purpose

A company creates an information security policy for several reasons:

  • To establish a general approach to information security;
  • To detect and avoid the compromising of information security, such as misuse of data, networks, computer systems, and applications;
  • To protect the company’s reputation for its ethical and legal responsibilities;”
  • To comply with their customers’ rights; To provide effective mechanisms to respond to complaints and queries regarding actual or perceived nonconformities.

2 – Scope

The policy should address all data, programs, systems, facilities, other technology infrastructures, technology users, and third parties in a given organization without exception.

3- Information Security Goals

A company that strives to have a security policy in place needs to have clear goals in relation to security and the strategy adopted by top management. Any inconsistency in this context may render the information security policy project incompetent with little adherence to the organization’s business. The most important aspect that a security professional should remember is that knowing the security management practices will allow to incorporate them into the documents he or she is in charge of writing. This ensures the integrity, quality, and feasibility of the policy.

Simplifying the policy’s language is something that can smooth out differences and ensure consensus among employees. Consequently, ambiguous expressions should be avoided. Beware also of the correct meaning of common words or terms. Redundancy should be avoided so as not to make documents long and out of sync. In the end, too much detail may prevent the policy’s full compliance.

The security professional should make sure that the policy has institutional importance equal to the other policies adopted by the corporation. In cases where an organization has a complex structure, policies may differ and it is therefore recommended that they are segregated to define the transactions in the intended subset of such organization.

Information security is considered to safeguard three main goals that are known as information security pillars or triad:

  • Confidentiality – data and information assets must be entrusted to people authorized to access and should not be disclosed to other individuals;
  • Integrity – to keep data intact, complete and accurate, including operational IT systems;
  • Availability – a goal indicating that the information or system is available to authorized users when necessary.

Donn Parker, one of the pioneers in the field of IT security, has expanded this triple paradigm by also suggesting “authenticity” and “compliance.”

4- Authority and Access Control Policy

Normally, a security policy has a hierarchical pattern. This means that a lower-level team is generally required not to share the little amount of information they have unless explicitly authorized. On the other hand, a manager or a senior professional may have enough authority to make a decision about which data can be shared and with whom, which means that they are not bound by the same terms of the information security policy. Therefore, logic requires that the policy address all the organization’s basic positions with specifications that clarify their authority status.

In essence, it is a hierarchy-based control delegation in which one can have authority over their own work. A project manager, for example, has authority over project files belonging to a group for which they are assigned. The system administrator likewise has authority over system files only – which is like the doctrine of separation of powers. Obviously, a user may have the “need to know” for a specific type of information. Therefore, the data must have an attribute of minimal granularity to allow the appropriate authorized access. This is the fine line for finding the delicate balance between allowing access to those who need to use the data as part of their work and denying unauthorized access.

5 – Data classification

The data can have different values. Value index graduations may impose separation and specific handling regimes/procedures for each type. The data classification policy can organize the entire set of information as follows:

  • High-Risk Class – Data protected by state and federal laws (Data Protection Law, HIPAA, PCI) as well as finance, payroll, and staff (privacy requirements) data are included here;
  • Confidential Class – Data in this class does not enjoy the privilege of being under the law, but the data holder believes that they must be protected against unauthorized disclosure;
  • Public Class – This information may be distributed freely.

Data owners should determine both the data classification and the exact measures that a data custodian needs to take to preserve the integrity according to this level.

6 – Support and Data Operations

In this part, we can find clauses that stipulate:

  • The rules of the general system mechanisms responsible for data protection;
  • Data Backup;
  • Data movement.

7 – Security awareness


Sharing IT security policies with the team is a critical step. Making them read and sign a document does not necessarily mean they are familiar with or understand the new policies. A training session would involve employees in a positive attitude towards information security, which would ensure that they had a sense of the procedures and mechanisms in place to protect data, confidentiality levels, and data sensitivity issues. This awareness training should address a wide range of vital topics: how to collect /use/delete data, maintain data quality, record management, confidentiality, privacy, proper use of IT systems, correct use of social networks, etc.

8 – Responsibilities, rights, and duties of staff

Defining the responsibility of people assigned to perform implementation, education, incident response, user access reviews, and periodic updates to an information security policy.

Theft prevention, knowledge of information, and industrial secrets that could benefit competitors are among the most often cited reasons why a company might want to employ a policy to defend its digital assets and intellectual rights.

9 – Other items that an information security policy might include are:

References to relevant legislation, Virus Protection Procedure, Intrusion Detection Procedure, Remote Work Procedure, Technical Guidelines, Audit, Employee Requirements, Consequences of Noncompliance, Disciplinary Actions, Dismissed employees, IT Physical Security, References to Supporting Documents, and so on.

Some organizations, without thinking too much, choose to download samples of IT policies from a website and copy/paste those ready-to-use materials in an attempt to readjust their policy goals and purposes to a template that is often unpolished and too broad. Understandably, if the structure is not very accurate, the result will not satisfy.

A high-quality Information Security Policy can make a big difference in your company. Increased efficiency, greater productivity, clarity of each department’s goals, understanding of the data to be protected and why, identifying the type and levels of security required, and defining recommended information security practices are sufficient grounds for creating this document in the most appropriate way. If you want to lead a company that is more likely to thrive in today’s digital age, it certainly needs to have a good information security policy.

← 7 important details between the LGPD (Brazilian) and the GDPR (European) Zero Trust and Privileged Access Management →

senhasegura wins CyberSecured 2022 award as best PAM solution in the USA

Written by Priscilla Silva SÃO PAULO, February 28 of 2023 - The 2022 edition of the CyberSecured awards, promoted by Security Today magazine, a brand of 1105 Media's Infrastructure Solutions Group, elected senhasegura as the winner in the Privileged Access Management...
Read More

How User and Entity Behavior Analytics Helps Cybersecurity

Cyberattacks are increasingly sophisticated, making traditional digital security tools insufficient to protect organizations from malicious actors. In 2015, Gartner defined a category of solutions called User and Entity Behavior Analytics (UEBA).Its big advantage is...
Read More

Best Practices for Consolidating Active Directory

This article was developed especially for you, who have questions about the best practices for consolidating Active Directory. First of all, you need to understand that directory services have the role of organizing important information for companies in a centralized...
Read More

senhasegura introduces the “Jiu-JitCISO” concept to show the power of Brazilian cybersecurity

Written by Priscilla Silva São Paulo, January 13, 2023 - "Like Jiu-Jitsu senhasegura is about self-defense. Every company must know how to protect itself and its clients". This is the aim based on the philosophy of the Japanese martial art, but made popular and...
Read More

CISA and FBI Release ESXiArgs Ransomware Recovery Script

The US Cyber Security and Infrastructure Agency (CISA) and the Federal Bureau of Investigation (FBI) released this week a recovery guide for the ESXiArgs ransomware, which has harmed thousands of companies globally. This was because malicious attackers were allegedly...
Read More
Copyright 2023 senhasegura | All Rights Reserved | Powered by MT4 Group