Why is it so important for companies to have policies when it comes to information security? How can a company develop some policies if they do not have any? Where can they go to gather information?

It is extremely important for companies to have policies related to information security because these policies serve many purposes. First it guides the concerned people who use the information that is contained on the company database. The policy define the role of different employees when it comes to using the information system. Secondly it helps the company in legal matters if there is some legal issue related to the information.

Developing a security policy involves:

  1. Knowing the organization
  2. Define the scope of the policy
  3. Know the target audience
  4. Make sure that the policy can easily be translated to procedures
  5. Be aware of internal and external threats
  6. Be realistic
  7. Avoid a controversy