Information security policy

An information security policy is a documented statement of rules and guidelines that need to
be followed by people accessing company data, assets, systems, and other IT resources. The
main purpose of an information security policy is to ensure that the company’s cybersecurity
program is working effectively.

A security policy is a "living document" — it is continuously updated as needed. It defines

the “who,” “what,” and “why” regarding cybersecurity. It’s different from a security
procedure, which represents the “how.” A security policy might also be called a cybersecurity
policy, network security policy, IT security policy, or simply IT policy.

The security policy doesn’t have to be a single document, though. A more sophisticated,
higher-level security policy can be a collection of several policies, each one covering a
specific topic. It’s quite common to find several types of security policies bundled together.

What should be included in a security policy? For starters, information security policies may
consist of acceptable use, confidential data, data retention, email use, encryption, strong
passwords, wireless access, and other types of security policies.

What are the benefits of information security policies? Why do we need to have security
policies? Here are 5 reasons:

1. To define roles and responsibilities A well-written security policy document should

clearly answer the question, “What does a security policy allow you to do?” It should
outline who is responsible for which task, who is authorized to do such a job, what
one employee can do and cannot do, and when each task should be completed.

If security policies are in place, any onboarding employee can be quickly acquainted
with company rules and regulations. They define not only the roles and
responsibilities of employees but also those of other people who use company
resources (like guests, contractors, suppliers, and partners).

2. To define accountability Employees can make mistakes. What’s more, some

mistakes can be costly, and they can compromise the system in whole or in part. This
is one area where a security policy comes in handy. It outlines the consequences for
not following the rules.

Security policies are like contracts. They are to be acknowledged and signed by
employees. This means no employees shall be excused from being unaware of the
rules and consequences of breaking the rules. Should an employee breach a rule, the
penalty won’t be deemed to be non-objective. Security policies can also be used for
supporting a case in a court of law.

3. To increase employee cybersecurity awareness Security policies act as educational

documents. They can teach employees about cybersecurity and raise cybersecurity
awareness. The range of topics that can be covered by security policies is broad, like
choosing a secure password, file transfers, data storage, and accessing company
networks through VPNs.
 4. To address threats Security policies must tackle things that need to be done in
addressing security threats, as well as recovering from a breach or cyber attack and
mitigating vulnerabilities. The aspect of addressing threats also overlaps with other
elements (like who should act in a security event, what an employee must do or not
do, and who will be accountable in the end).
5. To comply with regulations Security policies also shape the company’s
cybersecurity efforts, particularly in meeting the requirements of industry standards
and regulations, like PCI, GDPR, HIPAA, or ISO/IEC 27002.

Why should security policies be developed?

Security policies form the foundations of a company’s cybersecurity program. These policies
are not only there to protect company data and IT resources or to raise employee cyber
awareness; these policies also help companies remain competitive and earn (and retain) the
trust of their clients or customers. Think about this: if a bank loses clients’ data to hackers,
will that bank still be trusted? Eventually, companies can regain lost consumer trust, but
doing so is a long and difficult process.

………………………………………………………………………………………………..

Introduction to Indian Cyber Law

Indian Cyber Law is a legal framework in India that governs activities in cyberspace,
including the internet, digital communication, and electronic commerce. With the rapid
advancement in technology and the increasing reliance on digital platforms for
communication, business, and information exchange, the need for a robust cyber law
framework has become essential.

Key Legislation: The Information Technology Act, 2000

The cornerstone of Indian Cyber Law is the Information Technology Act, 2000 (IT Act). This
Act was enacted to provide legal recognition for transactions carried out by means of
electronic data interchange and other means of electronic communication, commonly referred
to as electronic commerce. The IT Act aims to facilitate electronic governance by providing
legal recognition to electronic records and digital signatures.

Objectives of the IT Act, 2000:

1. Legal Recognition of Electronic Transactions: Ensuring that electronic contracts

are legally enforceable.
2. Regulation of Digital Signatures: Providing a legal framework for the authentication
of electronic records through digital signatures.
3. Cybercrime Prevention: Defining various cybercrimes and prescribing penalties for
them.
4. Data Protection: Establishing provisions for the protection of sensitive personal data.