The increase in the use of technology in recent years has meant that all organisations should now ensure that they have a well written, continually developed information security policy in place. This policy should be provided to all those who have access to information.
These technological advancements have led to an increased use of data and as has been highlighted by several recent high profile cases, it is vital that data is correctly managed and protected. Information security policies are often said to contain three basic principles; confidentiality, integrity and availability, and it is imperative that any information about individuals is controlled correctly.
What is an Information Security Policy?
An Information Security Policy is a document or set of documents which provides details of how information stored on electronic forms of media must be handled. For most organisations, such information is vital to the success of the business; should such information be compromised in any way the concerned organisation can suffer in a variety of ways. An information security policy ensures that any information is kept confidential as well as ensuring that access is only given to those who require it. Further, the policy should deal with how and where this information is stored and transferred, as well as ensuring that the information is correct and complete and readily available should it be required.
The two most importance pieces of legislation to consider in this regard are the Data Protection Act 1998 and the Computer Misuse Act 1990. By looking at these two Acts in more detail we can begin to understand the purpose of an information security policy, as well as see some of the clauses that will be commonly included in such a policy. However, it is important to note that these are not the only two pieces of legislation concerning information security, but the two that will arise most commonly.
Data Protection Act 1998
The Data Protection Act deals with personal data, which may include information such as name, date of birth or anything else which is not publically known. The Act sets out eight principles which must be adhered to. These principles include how, where and when data is processed and who processes it. The principles of this Act are fairly extensive, but by examining each of the eight principles and then making sure that each of these areas are dealt with in any information security policy, one can be confident that the policy with be thorough and cover most relevant situations.
Computer Misuse Act 1990
The Computer Misuse Act deals with difference situations of unauthorised access to information. Normally, this relates to hacking or the introduction of viruses into a system or network, and any policy should therefore cover details of how any unauthorised access will be prevented.
Why should an organisation have an Information Security Policy?
As well as to ensure compliance with the above-mentioned legislation, an information security policy is important as it means that all employees are clear about how information should be managed. This mitigates business and legal risks involved with any personal data and other information, as well as providing a form of support in the event of any breach or potential breach of information security policy. Failing to have a policy and/or implement it creates risks in employment law terms, increases the possibility of internal fraud and carries significant reputational risks.
Producing an Information Security Policy
It is extremely important that all policies are drafted to take into account the specifics and nature of the company involved, and although each policy will reflect the particular information that the organisation holds, there are a number of common themes. Each policy should include an introduction outlining the need for such a policy as well as examining its purpose. There should then be a detailed explanation of the types of information, how access to this information is to be controlled and detail of all responsible individuals. The policy should be clear and easy to understand as well as being accessible. Further, it is important to ensure the policy is compliant with all applicable law as well as an understanding of the process should the policy be breached in any way.
For cost effective and practical advice on a suitable policy, you may find that the business law department of Darlingtons Solicitors can help.