Creating a Formal Security Policy for Your Organization

Cyberthreats are on the rise. Companies are running short on time, resources and money. The result is no surprise: IT professionals are overworked just trying to beef up basic network security while businesses teeter on the edge of total disaster. Even a small security weakness could lead to massive data loss, system damage or identity theft. While there's no quick fix – the world of cybercrime is a kind of arms race at hyper speed – companies can lay groundwork to minimize the impact of attacks. It all starts with a formal network security services policy; here's what you need to know about building one from the ground up.

Formal Policies in Demand

According to Cisco's 2016 Annual Security Report, companies have a growing interest in developing stronger protection policies. In 2014, for example, 59 percent of those asked said they had a "written, formal, organization-wide security strategy that is reviewed regularly." In 2015, that number jumped to 66 percent.

What exactly is a formal network security policy? Put simply, it's a single document that lays out specific security expectations and responsibilities for all members of your organization. While many departments have their own set of rules that govern security conduct, these policies – even if written down – constitute an informal ruleset that will never have the same broad impact as a company-wide, formally drafted policy.

Creating a formal security policy starts by securing both executive and IT support. Without a member of the C-suite on board, it's impossible to get the kind of traction necessary to push a policy through and make it truly applicable across all local office and satellite sites. IT investment is also critical. Since technology experts are the most familiar with potential weak points and emerging threats, it's important to consult with them before drafting any policy document. Trying to "shoehorn" in their expertise later will limit both the effectiveness and adoption rate of your new policy.

Bottom line? "Formal" means codified, clearly laid out and applicable to all members of an organization. This formal structure is critical for ensuring there's no room for misinterpretation or "creative" reading of your policy.


While there is no hard-and-fast rule about what needs to be part of a formal business security policy, there are a few big-ticket items that should always make the list. First up? Visibility. As noted by Beta News, "a comprehensive strategy with one centralized view is necessary for ensuring that security tools are functioning properly." Even with advanced security software or an adaptable IT team, you need real-time visibility into your security architecture to rest easy that defenses are working properly and threats are being kept at bay.

To achieve this aim, IT visibility must be a key line item in any formal security policy. Lay out how services will be monitored – what tools will be used, and who's in charge of oversight and reporting – in addition to the frequency of monitoring and what happens if a service is shown to be non-functioning or at risk. By keying in on visibility upfront, it's possible to avoid larger security issues down the line.

Cloud Security

Whether you're a private or public, multi or single provider, chances are your company uses some type of cloud computing day to day. As a result, it must be part of your formal security policy. TechTarget offers a few key considerations when drafting cloud security policies, for example:

  • Who's responsible for signing off on cloud projects? The CIO? Another executive? Make the chain of command clear.

  • Ensure the policy speaks to the sensitivity and classification of data security: What types of data can be moved to the cloud; what needs to stay local?
  • How will you handle the compliance aspect of security? While many providers now guarantee compliance with standards like PCI-DSS and HIPAA, your company is ultimately responsible for ensuring you meet existing standards, even in the cloud.

Mobile Device Management

Mobile devices are bane and boon for most organizations. While they empower collaboration and creativity, they also introduce a large number of potential network security risks. This means that no formal network security policy is complete without a detailed description of mobile device risks and responses.

For example, it's critical to lay out who owns devices on your network – are employees allowed to bring their own device or does the company provide smartphones and tablets? This informs the next part of your policy – expected use. It's a good idea to include specific language about monitoring or remote-wipe software, in addition to details about mobile application management (MAM) or oversight tools. What's more, your policy needs to spell out expected online conduct for mobile device use, as well as specific consequences if policy standards are not followed. By taking the time to draft this document upfront, you limit the impact of downstream user issues caused by piecemeal or "informal" mobile policies.

Information Security

Information is the lifeblood of your company. From physical files to digital copies and entirely online assets, data protection must be top priority to ensure business continuity. As a result, all formal network and data security policies need to include specific documentation on information security – how will you protect all forms of data within your organization?

For a solid starting point, consider: Who can access documents and for what purpose? What's the expected lifecycle of a particular piece of information, and what's the end-of-life procedure? Data security policies are another opportunity to implement effective data classification models: Make sure highly sensitive data is actively backed up and isn't widely available to users.

According to the Sans Institute, it's also worth taking the time to draft your InfoSec policy from the ground up, rather than taking one "off the shelf." Why? Because every organization has its own specific set of needs and unique interaction with stored data. Trying to fit square policies into round procedures is nothing but a headache for IT pros and the C-suite alike. InfoSec policies should also stay focused on the task at hand – since information security touches virtually all aspects of corporate safety, it's tempting to adopt an all-inclusive strategy. Instead, stay the course and focus on information assets alone.

Managed Services

Last but not least: Draft a formal policy that covers managed services. This includes any third-party vendor that provides a service – everything from analytics to cloud storage to hosted security offerings. Lay out policies for evaluation, testing and compliance; providers should be willing and able to operate within your framework to ensure your networking services stay completely protected. Be wary of any outsourcing partners claiming their policies trump your own. They'll often try to assuage your concern with promises of "total responsibility" in case of a security breach, but here's the bottom line: If they're working with your data, they need to follow your rules. Creating a formal data security policy of initial and ongoing evaluation streamlines the process of both recruiting and monitoring vendors to ensure maximum protection.

Total security is impossible; better security starts by drafting a formal policy that covers critical aspects of your organization – include visibility, cloud security, mobile devices, information and managed services to better defend your bottom line.