Back
Technology law
Why a Written Information Security Policy Is a Must-Have

October 14, 2015

Why a Written Information Security Policy Is a Must-Have
In the previous post, we discussed the growing need for cybersecurity insurance as more organizations look for ways to protect themselves against financial losses resulting from a security breach. While cybersecurity insurance does typically cover costs related to errors and omissions, media liability, network security and privacy liability, it is only one part of the security equation. Without proper security planning and documentation, organizations still run the risk of data loss, reputation damage, and operational disruption. In fact, many insurance providers require customers to have a written information security policy. In highly regulated industries such as healthcare and finance, specific rules and best practices must be followed to meet compliance standards, and documentation is required. Some business partners, vendors and clients may also require a written policy as a way of demonstrating competence in data security. An information security policy is a document that states how an organization intends to protect physical and digital data from internal and external threats. The policy typically explains how sensitive data is collected, stored and shared, tools used and processes followed to protect data, risk identification and assessment, and the responsibilities of key people involved in securing data and managing breach incidents. An information security policy is a living document that continues to evolve as business objectives, laws and technology change. It should be closely tied to your company’s incident response and business continuity plans. Many organizations either don’t have a policy or simply use a generic template that they found online. In both cases, these organizations are leaving themselves exposed to serious problems. Developing an information security policy can seem unnecessary for an organization that has not been affected by a security breach. However, companies that operate under the assumption that a breach will eventually happen tend to be more prepared than those who take the “it will never happen to me” approach. Even if a written policy is not required by law, it can still provide value to any organization. An information security policy can be used to train employees and create a company culture that prioritizes data security. Having a formal policy improves operational efficiency and prevents confusion, both of which have a direct impact on the effectiveness of your security strategy. A written policy can reduce the risk of downtime and business disruption that can hamper productivity, stall revenues, and shatter the confidence of customers, vendors and business partners. It shows that you’re being proactive in trying to stop a breach and can reduce the likelihood of legal action or regulatory fines. Drafting an airtight information security policy can be a daunting task, which is why so many organizations take the online template shortcut. While templates can help you get started and provide a basic framework, your company’s policy must be customized for your company. Consider having an attorney who understands issues such as technology and compliance lead the process of developing an information security policy. At the very least, have your policy reviewed by an attorney before it is implemented.
Daniel D. Whitehouse, Esq. -

Follow Us

Related insights

How Florida’s CADRA Law Provides a Remedy for Insider Threats

March 18, 2016

The risk of a data breach has never been higher as sophisticated criminals have the expertise, organization and financial backing […]
View

Written Contracts for All Contractors. Period.

January 28, 2016

Suppose you decide to partner with an app development firm to create a mobile app for your company. You have […]
View

Wearables and mHealth: A Privacy Crisis Waiting to Happen?

December 21, 2015

Wearable technology usage has increased 500 percent during the past three years. Researchers from MarketsandMarkets expect this explosive growth to […]
View
Let’s protect your business. Schedule a consultation to get started.

Let’s protect your business. Schedule a consultation to get started.

"*" indicates required fields

Name*
This field is for validation purposes and should be left unchanged.

What to expect:

  1. Use the form to schedule a consultation.
  2. You’ll talk with a real attorney about your business and needs and how we can help. Then, you’ll get an initial estimate.
  3. If you like what you hear, you’ll get an engagement letter and pay the deposit.
  4. We’ll get started protecting your business.
Let’s protect your business. Schedule a consultation to get started.

Let’s protect your business. Schedule a consultation to get started.

"*" indicates required fields

Name*
This field is for validation purposes and should be left unchanged.

What to expect:

  1. Use the form to schedule a consultation.
  2. You’ll talk with a real attorney about your business and needs and how we can help. Then, you’ll get an initial estimate.
  3. If you like what you hear, you’ll get an engagement letter and pay the deposit.
  4. We’ll get started protecting your business.