10 Must-Have Information Security Policies

Employees Meeting in Conference Room

Every year, HBS consultants review information security policies for dozens of organizations as part of regular risk assessments. And while no two organizations are exactly alike, we do find one consistent theme: Most clients need to do some serious work on their information security policies. The policies are often incomplete, badly outdated or missing altogether. That means that strengthening your security posture should start by checking whether you have the following essential policies, which our consultants have ranked in rough priority order. (And, of course, you need to actually follow the policies you have in place.)  

1. Information Security Policy 

Start with this foundational document. It provides an overview of the topics that you can develop further in the specific documents listed below as your program matures. Your Information Security Policy covers the top-line aspects of areas such as acceptable use, password management, access control, encryption, etc. 

2. Acceptable Use Policy 

These are the basic rules for everyone in your organization. Make sure the policy is clear and concise and that every employee reads it and signs it on their first day of work. Writing this policy and sharing it with each employee ensures that you can enforce critical security rules in the future. 

3. Incident Response Plan 

Don’t start thinking about how to handle a data breach on the day you discover one. A written IR plan helps you anticipate potential issues and create a detailed checklist that tells everyone what to do when stress is running high. A recent IBM study found that organizations with a written IR plan reduced the cost of a breach by 55%. A good plan identifies your response team in advance and clearly describes each person’s duties, along with how the team will coordinate efforts. Use this guide to start creating your plan. 

4. Access Authorization and Identity Access Management 

Hackers always hope that compromising one set of credentials will give them access to your entire environment. You prevent that by limiting each user’s access to no more than the data they need to do their job. Write a policy for determining what access every user gets, and be sure to include a plan for regularly updating access when people switch jobs, leave the organization, etc. 

5. Business Continuity/Disaster Response 

Closely related to the IR plan is this policy that anticipates how you’ll avoid serious operational interruptions in a variety of scenarios. Your BC/DR plan lays out the business impact of various threats and describes how you’ll pivot to restore critical operations as quickly as possible. Be sure to plan for testing to confirm that your plans hold up in real life. 

6. Risk Management Policy 

This document explains your organization’s overall approach to evaluating and remediating risks. The policy will explain how you identify risks, measure their likelihood and impact, set strategies for handling them, etc. 

7. Vendor and Third-Party Management 

The security of your key suppliers and partners is your problem, too. If a key supplier suffers a breach, you may lose access to essential supplies and services. If one of your software suppliers gets breached, your own system could be infected with malware unwittingly delivered by someone you trust. You need a policy for reviewing the security posture of all third parties, whether that’s following your own security questionnaire or requiring something like a SOC 2 report. 

8. Change Management 

Who has authority to change IT elements such as firewall settings or approve a new piece of software? Your policy should ensure that only qualified people have that authority, and that proposed changes are reviewed by the appropriate stakeholders to avoid unintended consequences. 

9. Security Awareness and Training 

You can choose to view your end users either as the biggest threat to your security or as your biggest team of frontline defenders. That means you need a plan for purposefully educating each employee on critical security issues, with an emphasis on the “why” so everyone knows how it affects them. 

10. Password Policy 

Your end users interact with this policy multiple times a day as they log into their systems. Yet password policies are still widely overlooked. Compromised credentials remain one of the top ways hackers get into a system. And if you’re wondering how robust most password policies are, consider that the most popular password in 2021 was “123456.” The second most popular was “password.” Make time to update your policy to require strong passwords. 

If you need expert help in reviewing your existing policies or writing new ones, contact us today to talk to an HBS cybersecurity consultant.