information-security-policy

# Information Security Policy

Drafts a formal Information Security Policy satisfying multi-framework regulatory requirements with enforceable operational guidance.

## Prerequisites

1. **Org profile** — industry sector, employee count, jurisdictions of operation
2. **Regulatory triggers** — applicable frameworks (HIPAA, GDPR, CCPA, GLBA, FERPA, PCI DSS, SOC 2, ISO 27001, NIST CSF)
3. **Existing governance docs** — current policies, data classification schemes, incident response plans
4. **Data inventory** — sensitive data categories handled (PHI, PII, payment card data, student records, trade secrets)
5. **Approving authority** — CEO, Board, CISO, General Counsel signature blocks needed

## Output Structure

### Document Control Block

| Field | Content |
|-------|---------|
| Policy Title | Information Security Policy |
| Version / Effective Date | [#] / [Date] |
| Approved By / Owner | [Title] / CISO or equivalent |
| Next Review | [Date + 1 year] |
| Supersedes | [Prior version or N/A] |

### Section Outline

**1. Purpose & Authority**
- Business rationale (financial, reputational, regulatory risk)
- Authorizing resolution; relationship to other org policies

**2. Scope**
- **Entities:** parent, subsidiaries, affiliates, JVs
- **Personnel:** employees, contractors, vendors, partners
- **Assets:** electronic data, physical records, IP, BYOD, remote environments
- **Exclusions:** publicly available info, de-identified data (define standard)

**3. Definitions**
Define with legal precision; flag where definitions vary by jurisdiction:
- Confidential Information, Personal Data / PII (per GDPR Art. 4, CCPA § 1798.140, HIPAA 45 C.F.R. § 160.103)
- Data Breach, Security Incident, Data Owner, Data Custodian, Authorized User
- Classification Levels: Public / Internal / Confidential / Restricted

**4. Data Classification**

| Level | Description | Examples |
|-------|-------------|---------|
| Public | Approved for external release | Marketing materials |
| Internal | Business use; not for external distribution | Org charts, internal memos |
| Confidential | Limited distribution; legal obligations | Customer PII, financial data |
| Restricted | Highest sensitivity; regulatory protection | PHI, payment card data, credentials |

**5. Access Controls**
- Least privilege; separation of duties
- Lifecycle: request → data owner approval → provisioning → quarterly review → revocation on role change/termination
- Privileged access: separate admin accounts; logged and audited

**6. Authentication**

| Requirement | Standard |
|-------------|---------|
| Password length | 12+ characters; mixed case, numbers, symbols |
| MFA required for | Remote access, privileged accounts, Restricted data, cloud admin |
| Acceptable MFA | TOTP, hardware token, biometric; SMS discouraged for high-risk |
| Shared credentials | Prohibited |

**7. Encryption Standards**

| Context | Minimum Standard |
|---------|-----------------|
| Data at rest (Confidential/Restricted) | AES-256 |
| Data in transit | TLS 1.2+ (1.3 preferred) |
| Portable devices | Full-disk encryption |
| Email (Restricted) | End-to-end or secure portal |
| Backup media | Encrypted; separate key management |

Review annually; superseded by org Security Standards if more stringent.

**8. Acceptable Use**
- Prohibited: illegal activity, harassment, circumventing controls, credential sharing
- Monitoring: org reserves right; no expectation of privacy on org systems
- BYOD: MDM enrollment, encryption, remote wipe on loss/termination

**9. Physical Security**
- Lock unattended devices; clean desk for Confidential/Restricted materials
- Secure disposal: cross-cut shredding (paper); cryptographic erasure or destruction (media)
- Visitor access: escorted in secure areas; logs maintained

**10. Data Retention & Disposal**

| Category | Period | Basis |
|----------|--------|-------|
| PHI | 6 years | HIPAA 45 C.F.R. § 164.530(j) |
| Financial records | 7 years | IRS / GLBA |
| Student records | Per FERPA | 34 C.F.R. § 99 |
| Incident logs | 3 years min | [Regulatory basis] |

Certificate of destruction required for Restricted data.

**11. Roles & Responsibilities**

| Role | Obligations |
|------|-------------|
| Board / Exec | Policy approval; resource allocation |
| CISO | Program ownership; standards; audit; regulator liaison |
| IT / Security | Controls; patching; monitoring; vulnerability mgmt |
| Legal / Privacy | Breach notification decisions; regulatory liaison |
| Managers | Access approval; team compliance; off-boarding |
| All Employees | Credential protection; incident reporting; training |
| DPO | Required under GDPR Art. 37 if applicable |

**12. Incident Response**

Lifecycle:
1. **Detect & Report** — within [1–4 hours] to security hotline
2. **Assess** — severity triage; activate IRT if Sev 1/2
3. **Contain** — isolate systems; preserve evidence; chain of custody
4. **Eradicate** — remove threat; patch vulnerability
5. **Recover** — restore from clean backups; verify integrity
6. **Post-Incident Review** — within 14 days; root cause; corrective action plan

IRT: CISO (lead), IT Security, Legal, HR, PR/Comms, Executive Sponsor.

**13. Breach Notification**

| Framework | Deadline | Recipients |
|-----------|----------|-----------|
| HIPAA | 60 days (individuals); 60 days HHS + media if 500+ | Individuals, HHS, media |
| GDPR | 72 hours to SA; without undue delay to individuals if high risk | SA, affected individuals |
| CCPA/CPRA | Expedient / without unreasonable delay | Consumers; AG if 500+ CA |
| State laws | 30–90 days (varies) | Residents, AGs, credit bureaus |
| PCI DSS | Immediately | Card brands, acquiring bank |

Legal counsel notified immediately upon any incident involving personal data.

**14. Third-Party & Vendor Management**
- Security assessment before vendor access to Confidential/Restricted data
- Required contractual provisions: DPA / BAA as applicable
- Right-to-audit for Restricted data vendors
- Access revoked immediately on contract termination

**15. Regulatory Compliance Matrix**

| Framework | Applicability | Key Requirements |
|-----------|--------------|-----------------|
| HIPAA (45 C.F.R. §§ 164.302–318) | Healthcare / PHI | Admin, physical, technical safeguards; BAAs |
| GLBA (16 C.F.R. § 314) | Financial institutions | Risk assessment; safeguards; service provider oversight |
| FERPA (34 C.F.R. § 99) | Education | Student record protection; disclosure restrictions |
| GDPR | EU personal data | Lawful basis; data subject rights; DPIAs; SCCs |
| CCPA/CPRA | CA residents | Consumer rights; opt-out; privacy notice |
| PCI DSS v4.0 | Payment cards | Detailed controls in separate PCI procedures |
| NIST CSF 2.0 | Voluntary | Identify, Protect, Detect, Respond, Recover, Govern |
| ISO 27001 | Voluntary | ISMS; Annex A controls |

**16. Training & Awareness**
- All personnel: at hire + annually; phishing simulation semi-annually
- High-risk roles (sysadmins, developers, finance): role-specific training annually
- Completion tracked; non-completion escalated; records retained 3 years

**17. Compliance Monitoring & Audit**
- Annual risk assessment; quarterly vulnerability scans; annual penetration test
- Access reviews: semi-annual (Confidential), quarterly (Restricted)
- Remediation SLAs — Critical: 30 days, High: 60 days, Medium: 90 days

**18. Enforcement**
Progressive discipline: retraining → written warning → suspension/termination → civil liability → criminal referral. Factors: intent, severity, prior violations, self-reporting.

**19. Policy Administration**
- Review: annually or upon major incident, regulatory change, material org change
- Approval: [CEO/Board] on CISO + General Counsel recommendation
- Employees acknowledge receipt in writing; at-will status unaffected

### Signature Block

| Role | Name | Signature | Date |
|------|------|-----------|------|
| CEO | | | |
| CISO | | | |
| General Counsel | | | |

### Employee Acknowledgment
*I acknowledge receipt of, have read, and agree to comply with the Information Security Policy (Version [#], effective [Date]).*

Name: ______ Title: ______ Date: ______ Signature: ______

## Guidelines

- **Multi-jurisdiction conflicts:** apply most stringent standard or add jurisdiction-specific schedules
- **Encryption floors:** AES-256 / TLS 1.2+ are minimums; revise per NIST guidance updates
- **GDPR DPO:** required if org is public authority, conducts large-scale monitoring, or processes special category data at scale — confirm applicability before drafting `[VERIFY]`
- **HIPAA BAAs:** policy cross-references but does not replace BAA; maintain separate vendor register
- **PCI DSS:** detailed technical controls in separate PCI documentation to allow updates without policy re-approval
- **At-will disclaimer:** verify enforceability under applicable state law `[VERIFY]`
- **Collective bargaining:** if unionized workforce, confirm no bargaining obligation before implementation
- **Do not fabricate citations** — use `[VERIFY]` for any citation not confirmed against primary source