Skip to main content

An information security policy is a set of rules and guidelines that an organisation issues for securing its confidential data. Employees of the organisation should understand and follow the information security policy.

In this article, we list effective ways that you can use to develop a information security policy, or beef up your organisation’s existing information security policy.

1.     Address the problem of password management

Many organisations, despite knowing about the existence of their security issues, are often confused on how to address them. It might sound obvious, but this is where most of a company’s security failings can be resolved.

For instance security policies must pay much attention to password management. Employees choose their own passwords and are then responsible to manage and control them. However they should be provided with the tools to create, store and access the range of passwords they may need to use.

According to a report by Verizon published in 2017 on data breach investigations, is where things take a turn for the worst. It says that more than 4 out of 5 data breaches are happening due to compromised or weak passwords. In addition, a survey has reported that almost 80% of employees find password management a hassle. An issue that can be easily solved with a password manager.

The scale of the problem here demands that organisations address the clear problem of password management in their information security policy.

2.     Use a holistic approach

As a modern business you should understand the barrier between work life and personal life is becoming more and more indistinct. This idea extends to information security as well. Technology departments must tailor security guidelines around the modern employees work behavior.

Concepts such as BYOD (Bring Your Own Device) are gaining traction nowadays. Organisations need to take a more holistic approach to their information security policies, which involves looking beyond employee work logs and company related passwords.

A single employee, whether in-office or remote, can put the entire organisation’s information security at risk. This makes every employee a possible point of failure for the entire network. The information security policy should take this into consideration and adequately address the risks associated with BYOD. Doing so will allow them to protect the company’s information against attackers.

3.     Educate the employees

Educating employees about information security is an important process when it comes to protecting your organisation’s data.

Regular training sessions that stress the basic concepts of security such as the risks of public networks and password management should be conducted. These sessions can be delivered by internal security experts or third-party security services, depending on the resources available to your organisation.

The most common types of data breaches are caused by the lack of education of employees. Therefore, you should incorporate training and awareness in the organisation’s information security policy. For instance, a security training program can be introduced that requires employees to attend monthly security sessions held within your organisation.

4.     Automate and simplify

Simplify what you can, and automate what you cannot. This simple rule can help you improve your organisation’s information security policy significantly.

A simple information security policy will go a lot further than a binder filled with complex security procedures. This is because employees are more likely to circumvent a complex security measure than a simple one.

You should first attempt to simplify anything that you can within the security policy. For instance, make it clear what the minimum length for passwords should be, rather than just suggesting the use of strong passwords.

For things that cannot be simplified, such as the process of validating online websites, you can make use of tools such as firewalls to prevent employees from violating the policy.


For businesses, information security in today’s world is more of a necessity than a luxury. It is important for an organisation to make a holistic yet simple changes in their approach to information security policies, to address concerns related to cybersecurity.

CyberSmart understands that managing your information security policy can be an excruciating task. If you would like to learn more about how to improve your information security policy, get in touch with us right away. We would love to help you polish your security policy for mitigating risks of cyber attacks.