Tips for Financial Institutions to Enhance Your Information Security Policies

Information Security policies are the foundation of a strong information security program. Organizations must implement policies to manage and safeguard the protection of information and the systems that access, gather, share, store, process, and transmit information.

It is important to keep in mind that information security policies set forth “the rules on engagement,” in an organization. In addition, policies must be aligned with the business mission, and ensure they cover the minimum security requirements of regulatory compliance guidelines.

Whether you choose the ISO-27002 framework and standards, or your organization has the need to comply with the PCI-Data Security Standards, GLBA or HIPAA regulations, the foundation of any of the previously mentioned regulatory frameworks or industry standards is having well defined information security policies. At a minimum an information security program should include the following policies:

  • Access Management Policy
  • Password Management Policy
  • E-mail Policy
  • Internet Acceptable Use Policy
  • Disaster Recovery Policy
  • Data Classification Policy
  • Monitoring and Auditing Policy
  • Incident Response Policy
  • Encryption Policy
  • Consequences for non-compliance Policy
  • Backup and Restore Policy
  • Physical Security Policy

The following are basic tips that will help you enhance your Information Security policies:

  • Take the time to perform a thorough review of your current policies
  • Make sure that your information security policies are aligned with your business strategy, and that they address your regulatory compliance guidelines
  • Remember, policies should be actionable, useable, workable, and realistic
  • Communicate your organization’s information security policies outlining the expectations for the appropriate use of these systems, as well as the consequences for inappropriate use
  • You must review your policies at least once a year to ensure they are continuing to be applicable
  • Get help from a service provider/consultant with experience in policy development and management so they can help you review and update your policies.


NIST SP-800-100 Information Security Handbook: A Guide for Managers
Writing Effective Information Security Policies (2007). Source:


10 Simple Steps to Help Improve Your Patch Management


10 Tips to Choose the Right SIEM Solution