Cybersecurity detects and mitigates attacks against an organization such as phishing, hacking and malware. Information security on the other hand, creates the foundation to protect and prevent these attacks by providing the process and tools.
An information security policy is the high level plan of action that is put in place by management to guide employees on how to protect the data and technology of an organization as well as show potential customers how the organization is taking proper precaution to safeguard data.
The policy should:
- Provide the framework (NIST 800-171, FISMA, ISO27001, PCI-DSS, HITRUST, COBIT), to protect the confidentiality, ensure the integrity and maximize the availability of a company’s data (also known as the CIA Triad)
- Minimize the risk of security breaches as well as define how to respond and recover
- Assist in regulatory compliance
- Define the scope of coverage
- Responsibilities for compliance and actions to be taken for noncompliance
The goal should be establishing an information security policy if there is not currently one or maturing and reviewing the one you have. If just starting out, scope the areas to be covered by the policy and align with a framework to guide compliance with the controls. Continuous improvement of the existing policy ensures that the proper scope is still in place and protecting the desired information.