An information security policy document
contains the written statements for how an organization intends to protect information. Written information security policy documents are required for compliance with various security and privacy regulations such as HIPAA
and the Sarbanes-Oxley Act
Elements of an information security policy document
An ideal information security policy document should contain the following elements:
- Title - Brief description of the document.
- Number - A number or unique identifier for the policy document.
- Author - The author of the document.
- Publish Date - The date the policy has been officially approved.
- Scope - Describes the organizational scope that this policy applies to.
- Policy Text - The written policies.
- Sanctions - Provides information on violations of the written policy.
- Sponsor - The executive sponsor of the policy document.
Types of information security policy documents