A policy contains numerous ideas or a plan of what should be done in certain situations. Businesses generally have policies relating to HR and finance but are lacking in security policies.

An information security policy is used to describe a set of rules, inclusive of allowed and disallowed behaviour for its information systems and assets as to minimise the threats an organisation may face regarding IT.

There are various types of policies that can be written within an organisation. These are:

Regulatory – This ensures the organisation is following standards set by a specific industry (PCI-DSS, HIPPA etc)

Advisory – This advises employees what type of behaviour and activities should occur within an organisation. It should also include possible disciplinary actions if the policy is not adhered to (usually in a disciplinary procedure).

Informative – This is not enforceable, but it teaches individuals about a specific topic that’s relevant to the organisation.

Common policies within an organisation include acceptable use, stipulating constraints and practices that must be adhered to on a corporate network. A password policy includes the complexity requirements a password must contain and a Bring your own device policy is a set of rules relating to personal devices being utilised within a corporate network and containing company sensitive data.

Policies should be placed in a shared location that are easily accessible by all employees. For example, this is useful if an employee needs to change their password but cannot remember the complexity rules required. Additionally, employees should sign that they have read the policy and agree to the rules stipulated. If the rules are broken, then disciplinary action can be taken against the individual.