good IT security

6 things a good IT security policy should include

Your IT security policy provides a roadmap for everyone in your company to ensure safety, security, compliance, and confidentiality. With 46% of US businesses reporting at least one data breach in 2018, a strong, adaptable, and realistic IT security policy is more important than ever for your business. With that in mind, here’s our guide to preparing a good IT security policy.

Key elements of an IT security policy

1. An introduction

Your IT security policy is a comprehensive corporate document that should be accessible to all of your employees, not just IT specialists. As such, one key element of an IT security policy is the introduction, which should explain the scope of the document, define roles and responsibilities within the company, and reference other relevant documentation. You may also wish to include definitions for any specialized terms.

2. A threat assessment

Use this section to review all the assets in your organization and the threats that are specific to each one. Include anything crucial to the everyday operation of your business, from hardware to premises to digital information, and consider threats as diverse as cybercrime, extreme weather, malware, physical intrusion, phishing and more. Anything that could threaten the security of your assets should be listed here.

3. Policies!

This is the main part of your security policy. In it, you will define how you intend to defend your assets from the threats you have identified. The exact policies required will vary from business to business, but some of the core elements of an IT security policy are outlined here:

  • Network policies: Firewallstandards, backup schedules, remote access requirements, and rules regarding permitted software and hardware
  • System policies: Policies governing the use of company email, internet access, social media, and personal devices on the company network
  • Identity policies: Rules covering the protection of user accounts, password policies, and access management
  • Physical security policies: Access to your business premises, policies regarding visitors and contractors, and policies regarding CCTV
  • Acceptable use policies: Policies regarding the use of shared and assigned company equipment, networks and premises
  • Auditing policies: Details on how you will check and document compliance with the policies outlined above

4. Security oversight

A key element of an IT security policy is the definition of who is overseeing and responsible for various network security areas. A section of your policy should be dedicated to defining the security team within your organization, outlining key areas of responsibility and placing them within the hierarchy of your business. It’s also good practice to provide guidance on how and to whom questions or issues may be directed.

5. A disaster recovery plan

Your IT policy should contain information on how to react and what actions to take when something goes wrong. This can cover everything from minor incident reporting to a full business continuity and disaster recovery plan. How will your business respond in the event of a data breach, a weather-based disaster, or a burglary? Use this section to reinforce your policy for data backups: how often they are created, through what methods, and where they are stored These will be vital in the event of a disaster.

6. A training plan

Another key element of an IT security policy is an overview of training. Your staff is one of the most vulnerable assets in your organization, especially since (as noted by a recent PhishLabs study) phishing attacks now overwhelmingly target enterprises rather than individuals. Even the most thorough security policies are will be of little use unless your staff is educated to understand and follow them, and you provide regular updates to keep them informed.


Your commitment to security doesn’t end once you’ve drafted a good security policy. Like any effective policy document, your security policy needs to be updated, managed, and actually enforced! When you treat your IT security policy as a living document that grows with your organization, you can feel confident in helping to keep your business safe, secure, and operational.