Every organization should have an Information Security (InfoSec) policy as well as a hierarchy of security policies. The field has been turned upside down in the past few years with virtualization, mobile devices and The Cloud, and some think these developments have obsoleted the need. In fact, it is even more critical for an organization’s employees, customers, and shareholders to know that management has thought about the security of their intellectual property. It gives IT a foundation for all security activities and provides IT a basis for action when information security is compromised.
The policy document itself may be very succinct. It can simply state that IT and business management realize the importance of information security and take proactive measures. The details of the policy can be referenced in other policy, process or procedures. The critical piece is getting buy-in and visibility from executive management, legal, HR and accounting/finance.
While there are many examples of security policies on the web, only the IT manager has the organization-specific knowledge to customize. The SANS (SysAdmin, Audit, Network, Security) Institute is an excellent source for assistance; they have several policy templates and a primer on their site. It can get you thinking on the components of an infosec policy.