An information security policy

A security policy takes into account all possible aspects that represent danger or could cause damage to an organisation. All these possibilities are mapped and studied in order to choose appropriate measures.

First of all, we have to see what exactly can be in danger, in other words what the company owns or what the company's assets are.

We then look for the dangers threatening assets. Those threats can be a fire or a computer crash, but also unintentional human threats, for example an individual leaving a confidential document on a train by accident. Individuals can also have the intent to harm the enterprise, for instance burglars or an industrial spies.


Other than that we have to take into account the weakest links or vulnerabilities of the company, which can be software that was not installed correctly or a faulty lock on the access door of a room where important information is kept. Such weak spots in security can lead to damage. Because of a programming error, for example, a hacker can break into the system and destroy a file.

Unfortunately, there are unexpected incidents, too, such as an information system overload. Therefore, we have to try to anticipate possible incidents. Moreover, incidents unavoidably have consequences and their impact can sometimes be enormous. A compromised file containing data on child allowances could seriously disadvantage families. A solution has to be found here as well.

Finally, we have to try to assess the risks the company runs. We calculate the chance that a certain danger will occur at the company, and try to predict what its consequences will be. A virus could, for example, delete a file containing salary calculations, or a member of staff could give his accounting file password to a colleague. The consequences of both incidents can be very different.

Now that we are aware of all the elements that can put a company at risk, we can elaborate security measures. For all the dangers and risks we have exposed, the most convenient solution for the company is looked for. We can lessen possible dangers or correct vulnerabilities by limiting the consequences. We can also actively trace possible incidents, so that we can intervene before the situation gets any worse.

Finally there are remaining risks or residual risks, which continue to exist after security measures were introduced. These residual risks are unavoidable (e.g. human errors), but the idea is to keep them as limited as possible.

It is an illusion to think we can exclude all risks. Even if we have the best possible security, unexpected incidents can always occur: harmful intent for example, but also human errors, natural disasters, etc. Unfortunately, these dangers usually strike unexpectedly. We have no other option than to learn to live with the risk. The only thing we can and must do, is keep the residual risks as limited as possible. This is done differently in every company, and it is also the reason why there are no ready-made models for security policies. Every company will have to draw up a policy that best suits its organisation.