What is the important to have a good understanding of information security policies and procedures?

Are you studying for the CEH or CISSP certifications?

Skillset can help you prepare! Sign up for your free Skillset account and take the first steps towards your certification.

Skillset helps you pass your certification exam.

Practice Questions

Study thousands of practice questions that organized by skills and ranked by difficulty.

Personalized Training

Create a tailored training plan based on the knowledge you already possess.

Exam Readiness

Know when you’re ready for the high-stakes exam. Have the confidence that you will pass on your first attempt.

Get A Free Skillset Account

Policies and Procedures are two of the words that most employees dread to hear, especially when it comes to IT Security. Why does this phenomenon occur? Is it because people don’t want to be told what to do? Is it because people feel as though they are being “micromanaged” when they have to abide by and comply with policies and procedures? The answer is that it is probably a little of both and for many other reasons that are unique to each specific company. The next obvious question is why do we need to have IT Security policies and procedures? Well, there are many reasons and here are the top 5 reasons, in no particular order:

• They address threats – Threats are everywhere, especially when it comes to IT Security and the explosion of Ransomware these days. The goal behind IT Security Policies and Procedures is to address those threats, implement strategies on how to mitigate those threats, and how to recover from threats that have exposed a portion of your organization
• They engage employees – I know that this might sound a little crazy but bear with me on this one. Think about a time when you worked for an organization that forced a bunch of policies and procedures down your throat. What were some of the thoughts that you had? Where did these come from? Who created them? Why are we doing this? These are all valid questions and ones that can be avoided when you engage employees in the process of developing and implementing IT Security policies and procedures. Of course there are going to be instances when organizations have to create and implement policies and procedures without engaging employees for obvious reasons. But think about the message that your organization is sending when they allow employees to participate in either the development or review of these policies and procedures.
• Who does what, when, and why? – IT Security policies and procedures provide a roadmap to employees of what to do and when to do it. Think about those annoying password management policies that every company has. You know the ones where you have to change your password every 47 minutes and can’t use the last 56 passwords that you previously entered. If that policy and procedure didn’t exist in organizations, how common would it be for people to use simple, easy to guess passwords that ultimately open the organization to increased risk of data theft and/or data loss.
• Who gets access to what – Think about the days when you were back in college and you would go to a nightclub. Do you remember when you would venture towards the back of the nightclub and there was the VIP section with a very large, angry person guarding who got in and who didn’t get in? Policies and procedures play the role of bouncer in a nightclub. They dictate who has access to what information, why, and reasons for accessing it. Without policies and procedures in place, everyone would be allowed into the VIP section and that wouldn’t be good for business.
• What’s the penalty – IT Security policies and procedures outline the consequences for failing to abide by the organizations rules when it comes to IT Security. We all have choices to make as to whether we are going to comply with the policy that has been outlined, that's just human nature. But, people like to know, and need to know, what the consequence is for failing to follow a policy. Policies and procedures provide what the expectation is, how to achieve that expectation, and what the consequence is for failure to adhere to that expectation. This eliminates any and all surprises as this will be clearly outlined, thus protecting the organization.

IT Security policies and procedures are necessary and often required for organizations to have in place to comply with various Federal, State, and Industry regulations (PCI Compliance, HIPAA Compliance, etc.) The development, implementation, and review of these policies and procedures can be another challenge completely, which is why we decided to write a brief eBook on some of the most important IT Security Policies for any organization to have in place. Click on the image below to download your copy today!

 Editor's Note: This post was originally published in September of 2015 and updated in May of 2017 for accuracy and comprehensiveness

Why is it important to have a good understanding of information security?

Why is it important to follow Organisational policies and procedures relating to information security?

What are policies and procedures in information security?