Most people tasked with developing a data security policy will immediately go looking for a downloadable template, but did you know there are four crucial steps to take before you even start typing? And did you know that emailing out the final copy isn’t the last step?
Follow along as this guide takes you through the entire process of developing a data security policy. In 12 easy steps, you will learn how to create a strong, effective data security policy that protects your company’s and customers’ data.
Bonus: skip over step four with this free data security policy template.
Before Writing Your Data Security Policy
A data security policy won’t be effective just because you used all the right words and got it laminated. The work you do before writing out the policy is just as important in making sure it’s practical, useful and successful.
Specifically, you want to identify your goals, choose your “golden rules”, categorize your data and use an approved framework or template.
The root of any effective data security policy is a goal. For your policy to be strong, every how-to, what-if, practice and procedure must be built up from a set of pre-determined goals.
Conduct as many meetings as needed to make sure everyone has provided input. Take as much time as necessary to define your goals properly, making sure they’re clear and comprehensive and definitive.
Based on your goals, develop key principles or “golden rules” that are central to your organization’s data security efforts. These “golden rules” are short, concise mandates to follow when working with data, making decisions or developing procedures.
Common data security principles include:
- Confidentiality: data is only seen or used by authorized persons.
- Accountability: changing, manipulating or modifying data is either made impossible or tracked.
- Availability: data is only available as required. Access is revoked when no longer required.
- Ethics: data collection is always fair, lawful, specific, legitimate and transparent.
- Timeliness: data is only collected as needed and only kept for as long as necessary.
- Compliance: procedures comply with relevant data security legislation.
Before you start writing out the policy, audit and classify your data. When all of the data is condensed and grouped into categories, it’s easier to decide exactly where to invest your time and efforts.
Data is often grouped into the following categories:
Public Company Data
The first category, public company data may include things like news, stock quotes and other “open” information. It wouldn’t be much of a problem if someone were to accidentally disclose or destroy data from this category. A press release on your company’s charitable efforts may be considered public company data.
Proprietary Company Data
The second category, proprietary company data, is usually sensitive information that “derives its economic value from not being publicly disclosed” (green). Most of the time, an organization is under a legal or contractual obligation to keep this information secure. For example, the recipe for your pizza dough.
Confidential Company Data
The third category is confidential company data, which is information that cannot be publicly disclosed ever regardless of economic value. Access to this data is highly restricted and there are significant penalties for its disclosure or destruction. For example, the social insurance numbers of your employees.
Public Customer Data
The fourth category, public customer data, is public information available to anyone. There is really no issue in disclosing or using of this type of data. For example, the types of pizza offered at your restaurant.
Confidential Customer Data
The fifth and final category is confidential customer data. Access to this type of data will also be restricted and can have a negative impact if it’s disclosed or stolen. For example, the financial information of your customers who pay online.
Once you’ve grouped your data, prioritize the high-risk categories. Invest extra time and effort in developing strategies and procedures for these categories.
A data security policy has to not only rise up to management’s standards but also to the those of external auditors and relevant stakeholders. So, when building your policy, you need to consider outsiders’ expectations.
Use these resources to develop a basic framework that receives a passing grade from data security experts. Or, download our free template.
While Writing Your Policy
When a company develops a data security policy, there are a few sections that are routinely overlooked or under-developed. What good is a data security policy that doesn’t provide key information like how to report suspicious behaviors or what to do in the event that there is a data breach?
A winning data security policy will include all of the sections below (plus any others unique to your industry).
A winning data security policy doesn’t just dive right into antivirus software, what to do about phishing emails or naming those responsible for patch management.
Instead, a winning data security policy starts by setting the stage with context and foundational knowledge.
Introduce the policy. Explain simply why data security is important, what a data breach is and how it would affect the company negatively.
Here you can share the goals you identified earlier. Explain to the reader that the entire policy should be read with these goals in mind.
Outline the scope of this policy.
Do the provisions in the policy apply to all information assets or only confidential data? Does the scope of the policy apply to all personnel, including third-party vendors and processors? What systems or networks are governed by the policy?
Remember that your audience isn’t solely data security experts – it’s also your HR department, your data entry clerks, operations staff and your sales reps.
Provide definitions for complex topics and jargon words that might confuse the average reader, such as personal data, data processors, data users, data controllers and data subjects.
In this section, you may also want to define the data categories you identified in step three.
Noncompliance + Disciplinary Action
Your data security policy should provide information about the company’s disciplinary action procedure. What are the consequences in various situations? Acknowledge that each incident is examined on a case-by-case basis but describe vague consequences for individuals who:
- deliberately steal data
- accidentally cause a data breach
- don’t comply with security procedures
Assigning accountability is an important part of maintaining data security and staying organized in the event of a breach. Your policy should clearly outline the roles and responsibilities of both departments and individuals in the workplace.
For example, describe the roles and responsibilities of access administrators, users, managers, the Information Systems department and the Human Resources department. Also, if you have a Data Protection Officer, describe their role and provide their contact information.
Make note that it is everyone’s responsibility to complete data security training. It is also a collective duty to speak up about bizarre behaviors, unusual visitors, gaps in security systems, phishing attempts or lost devices.
Security incidents aren’t always the result of a malicious attack on a company. A lot of the time, a data breach is the result of employee ignorance. This is why your policy should explain data security principles and best practices.
The data security principles are those you identified as your “golden rules” earlier. Best practices are the behaviors or courses of action that uphold the rules. They’re good habits.
For example, best practices you may want to share include shredding paper documents after ten business days, always encrypting email files or keeping data transfers to a minimum.
Your policy should also provide details about the procedures in place to protect data and prevent breaches. Most policies touch on network configuration, workstation security, password management, acceptable use, remote access and more. Every company’s policy will be different depending on the procedures they’ve implemented.
Hardware & Access Security Measures
Describe the official way of accessing or setting up network services. Provide instructions for things like remotely accessing the network, securing routers and other hardware, configuring operating systems and creating accounts.
Software & Anti Virus Security Measures
Provide information about antivirus and firewall programs and software in place to keep data safe. Explain patch management and other unique strategies you use to scan for vulnerabilities, such as employing white hat hackers.
Describe the company’s password management protocol. For example, explain that employees must update their passwords every three months with a strong password comprised of upper and lowercase letters, numbers and symbols. Also, explain the importance of not sharing passwords with others.
Communicate acceptable use of email with clear standards for message content, encryption and file transfers. Provide tips and tricks for detecting phishing attempts.
Communicate acceptable use of the internet by establishing limits on usage. Create a list of websites employees can trust and may use for work.
Communicate acceptable use of social networking by providing examples of appropriate and inappropriate content. Hold employees accountable for what they post.
Have employees sign that they have read, understand and acknowledge this section of the policy. This explicit agreement may be useful if an incident occurs that requires disciplinary action.
User Roles Access & Monitoring
A key piece of data security is creating and maintaining user roles and user access. Following the principle of least access, make sure users are only able to access data necessary for their jobs.
Also, keep a watchful eye on account behavior with monitoring and tracking. Many digital compromises occur from legitimate but inactive user accounts, like resentful former employees looking to expose private company data.
Detail step-by-step how to report suspicious behaviors or a security incident. Most companies provide online forms for reporting incidents, but you may also wish to provide a phone number or the contact information for the designated Data Protection Officer (DPO).
Writing out the procedure in detail is important because companies are often plagued with miscommunication and misinformation when it comes to policy. Time is of the essence in a security incident so a clear, simple “how-to” can mean the difference between an incident that’s fixable and one that’s catastrophic.
Also, explain the next steps for mitigating damage. For example, remind employees not to speak to anyone about the incident as this can be detrimental to the company’s reputation.
Develop a comprehensive incident response plan, assign a team responsible for carrying it out and then detail that process in the policy. If a breach occurs, you will be thankful to have not only a plan in place but to have it spelled out in the policy for others to be informed.
The incident response plan will consist of how to evaluate the breach, how to report an incident internally, how to inform the public and how to identify and carry out corrective and preventive actions.
To learn more about developing an incident response plan, check out our how-to guide.
After Writing Your Policy
After a company develops a data security policy, it’s often left to collect dust. Your steps after implementation are what turns a great but forgotten policy into one that is great and obeyed.
A winning data security policy will be followed up with regular audits to ensure compliance and regular updates to reflect the ever-changing data breach landscape.
Take the time to evaluate the effectiveness of the policy. After working so hard to write out roles, responsibilities, best practices and procedures, the next logical step is to develop a process to monitor compliance.
Regular audits will help ensure that employees and leaders are being compliant. Take it a step further than your regular bi-annual internal audit by bringing in third-party auditors to take a look at random times.
Take the time to evaluate the relevance of the policy. Data thieves know how valuable sensitive data is, which is why they work hard to find new, creative ways to steal your information. This means your procedures can go out of date fast.
It’s your job to follow the news. Set up alerts for recent breaches. Read about new malware. Research new security strategies. Use what you’ve learned to improve your data security process then update your policy to reflect the changes.