Why is an information security policy necessary? Explanation of its contents, operation and management

Nowadays, with the advancement of IT and what is now called an information society,Information leaks and financial damage caused by cyber attacks are occurring frequently..Even in Japan, emphasis has been placed on strengthening information security measures for organizations.

The first thing an organization should do when implementing information security measures is to formulate an "information security policy." However, surprisingly few people seem to have a clear understanding of what an information security policy is and what it means.

Therefore, in this article,Explaining the format of information security policy, steps to formulate it, and organizational structureTo do.

What is information security policy?

First of all, what does the word "policy" mean? In a narrow sense, it is used to mean things like ``philosophy,'' ``policy,'' and ``policy,'' and in a broader sense, it seems to include things like ``method,'' ``means,'' and ``procedure.''

In fact, information security policy is said to have a narrow and broad meaning..

In a narrow sense, it only refers to ideas such as policies and guidelines for information security, butIn a broad sense, regulations regarding information security measures, including specific implementation procedures.It seems to mean everything.

Here, we will introduce information security policy in a broad sense.

Why is an information security policy necessary?

The purpose of an "information security policy" in an organization is to protect itself from risks such as cyber attacks and information leaks. As an organization, you need to put in place sufficient equipment and mechanisms to protect yourself from such damage.

Also,Establishing an information security policy is not just about setting up equipment and systems, it also raises organizational awareness.This leads to this. Most information leaks occur within an organization.human erroris said to be the cause.``What kind of information'', ``for what reasons'', and ``how'' must we protect it?By thinking and making decisions on our own, our awareness of security will increase.

What is the information security policy?

The content of the information security policy is"Basic policy" "Measure standards" "Implementation procedure"Generally, it is divided into three layers in this order.

In English, it is also called “policy”.Why are information security measures necessary?This is the basis of the entire information security policy, including the ``why'' and the policies to be followed.

in particular,Scope of application of information security policy, target audience, structure and roles, response in case of violationEtc.

In English, it is also called "standard".What measures will be implemented?This is the part that corresponds to "What". It may be said that it is a collection of rules for implementing information security measures.

in particular,Entrance/exit management standards, security education standards, internal network usage standardsEtc.

In English, it is also called a "procedure". Regarding individual measures,How exactly will it be implemented?This is the part that corresponds to "How". Simply put, you can think of it as a manual.

in particular,Entrance/exit control manual, antivirus software installation procedure, network setting manualEtc.

who should think

Developing an information security policy is an extremely difficult task.Basically, we set up an organization such as an "Information Security Committee", will often be carried out.

What is important at this time isRepresentatives and executives should participate in the organization as much as possible.is.

What is information security policy?Important policies regarding how an organization protects informationThis is part of our management policy. Even if a separate person is assigned to handle specific operations, there is no one responsible for formulation.Management should be fully involved.

Also, rather than formulating the plan only with the management team, it is better to involve people who have a correct understanding of the inner workings of the organization. If you do not take a form that is appropriate to the situation of your organization, such as deciding who should have administrative authority and how much, it may cause problems in your daily work.

If your company does not have anyone knowledgeable about information security,Methods of using external consultantsThere is also. However, as I mentioned earlier, it is not possible to take appropriate measures unless you are familiar with the actual situation within the company, so rather than relying entirely on consultants,Ask us as an advisor to help you develop your organization's information security..

Steps to formulate information security policy

The Information-technology Promotion Agency (IPA) defines the flow of information security policy formulation as the following eight steps.

1. Establishment of organization/system
2. Formulation of basic policy
3. Identifying and classifying information assets
4. risk analysis
5. Selection of control measures
6. Establishment of countermeasure standards
7. Clarification of countermeasure standards and thorough dissemination
8. Formulation of implementation procedures

It would be too long to explain the specific flow of each formulation, so I will omit it here. If you search on the internet, you will find that various organizations have posted their procedures, so why not use them as a reference?

Additionally, although we have described how to formulate an information security policy here, the steps, format, and content for forming an information security policy vary from company to company. Please use this as an example only.

Operation and management

Creating an information security policy is not the end.It is important to properly operate and managevinegar.What is said to be important for this operation and management is running the PDCA cycle.

◆PLAN

Information security policyformulationTo do.

◆DO (Implementation)

The established information security policyThoroughly disseminate information within the organizationTo do. It will only be effective if the entire organization acts correctly in accordance with the policy.

◆CHECK (audit/evaluation)

The established information security policyAudit whether it is being implemented correctlyTo do. Furthermore, even if it is implemented correctly, problems and shortcomings may be found.

◆ACT (improvement)

Regularly found on CheckImprove areas that are not implemented correctlyHowever, we will reconsider the shortcomings and problems of the information security policy itself.

Appropriate information security measures change depending on various factors, such as the situation of an organization and society, so it is important toLet's review it daily while regularly running the PDCA cycle..

Create an information security policy that suits your organization

In this article, we have summarized the format, steps for formulation, organizational structure, etc. of commonly-used information security policies. However, as I have said several times,The optimal form of information security policy differs from company to company..It is important to start by thinking about what type of information security policy is best for your organization. In order to avoid being harmed by cyber attacks, raise awareness andStrengthen your organization's information security measures.

[Reference site]
・Overview and purpose of information security policy | Cabinet Secretariat Information Security Center Cyber ​​Security Headquarters・Information Security Policy Sample Explanation | JNSA
・Information security measures guidelines for small and medium-sized enterprises 3.1 version | IPA
・Meaning and explanation of policy | weblio dictionary