The following sample policy on information asset protection can be tailored to any organization and promulgated on paper and on the company intranet. It is adapted from the policy in the ASIS International Information Asset Protection Guideline (2007).
A. POLICY OVERVIEW
We are committed to protecting the organization’s assets, including employees, information, and work environment, to enable us to achieve our business goals. As such, we have established this information asset protection (IAP) policy. It sets forth our guiding principles with respect to protecting the organization’s information assets.
Information is a key organizational asset and will be protected commensurate with its value and based on the results of periodic risk assessments. The protection strategy is based on the following principles:
- Protecting information assets will consist of identifying, valuating, classifying, and labeling in an effort to guard against unauthorized access, use, disclosure, modification, destruction, or denial.
- Controls will represent cost-effective, risk-based measures consistent with other policies and the strategic goals of the organization.
The IAP strategy integrates traditional security, information technology security, and legal and administrative functions.
- Responsibility and accountability extends to all employees as well as consultants, contractors, subcontractors, part-time employees, temporary employees, interns, teaming partners, and associates.
- We will meet all applicable legal and regulatory requirements.
B. IAP PROGRAM MANAGER
All questions, issues, and concerns related to this policy will be directed to the IAP program manager [provide contact information.]
The IAP policy applies to all employees and to the extended enterprise—that is, individuals and entities with access to the organization’s information assets, people, and facilities.
D. INFORMATION ASSETS
Our information assets fall into a variety of categories, some of which are subject to specific laws and regulations. In those cases, we will comply with all applicable laws and regulations. This may become complicated in some circumstances when laws and regulations at the local, state, federal, and international levels may all apply. Contact the organization’s counsel or IAP program manager for guidance in specific cases.
The major categories of information assets include privacy information, proprietary information, trade secrets, patents, copyrights, trademarks, financial data, and regulated information. Each category warrants certain protections according to the IAP policy.
E. INFORMATION CLASSIFICATION AND SHARING
It is essential to share information both internally and externally to achieve our business objectives. However, it is also our responsibility to ensure that sensitive information assets are protected from loss or compromise. All employees and members of our extended enterprise are responsible for sharing information assets appropriately and protecting them from inappropriate disclosure, modification, misuse, or loss.
To protect information (paper, electronic, oral, etc.) according to its business value, we have developed policies, practices, and procedures as part of our IAP program. Included is a mechanism to classify our information assets into four categories: highly restricted, restricted, internal use, and unrestricted:
Highly restricted is used for proprietary information that could allow a competitor to take action that could seriously damage our competitive position or that, if disclosed, could significantly damage the organization’s financial or competitive position. Strict precautions are used to eliminate accidental or deliberate disclosure and to detect unauthorized attempted access. Access for employees is limited to specifically authorized individuals. Access for non-employees is limited to individuals who are approved and are covered by a nondisclosure agreement (NDA).
Restricted is used for information that is organizationally or competitively sensitive or that could introduce legal or employee privacy risks. Precautions are taken to reduce accidental or deliberate disclosure. Access for employees is based on the individual’s role. Access for non-employees is limited to individuals who are approved and are covered by an NDA.
Internal use is used for information generated within the organization that is not intended for public distribution. Commonsense precautions are used to reasonably protect this information. Access is generally limited to employees. Access for nonemployees is limited to individuals or organizations that are approved and are covered by an NDA.
Unrestricted is used for information that can be shared inside and outside the organization.
Everyone is required to take these steps:
- Follow all procedures and practices regarding the protection of information assets.
- Participate in incident management, risk assessments, work processes, and control mechanisms that support the policy.
- Ensure that proper access controls are in place for any information you create or own.
- Use common sense and forethought in the release of organization-related information.
Employees in designated roles have been assigned specific responsibilities for the deployment, implementation, and maintenance of the IAP policy. These roles and responsibilities are as follows:
IAP program manager is responsible for overall policy, including
- determining the levels and the protection required within each level
- providing baseline information security through the organization’s technology infrastructure
- providing IAP management reports as appropriate
- coordinating the program with other members of the organization
Other managers and directors are responsible for employees’ understanding of and compliance with the IAP policy as well as organizational practices and procedures. These managers and director may be responsible for
- training employees on all classification levels
- ensuring that work processes and controls support the policy
- ensuring that risk assessments are conducted as needed and that incidents are managed within the framework of the IAP policy
F. EMPLOYEE PRIVACY
Employee data is a resource to be protected against alteration, loss, or unauthorized disclosure. We guard information that is essential to running the business and protect this information from disclosure to anyone other than those who have a legitimate business need or legal right to have it.
The privacy and confidentiality of personnel records must be assured. Any personal information collected by the organization will be necessary and relevant and will be obtained and maintained using methods that respect the individual’s right to privacy as well as applicable laws and regulations. In addition, each employee has the right to know what type of personal information the organization maintains about him or her and how it is or may be used.
Periodic audits may be conducted to ensure compliance with organizational policy as well as laws and regulations regarding privacy and personal information management.
G. SECURING OUR PROPERTY
We are committed to providing security for our tangible and intangible assets to avoid loss. Each of us should do the following:
- Help ensure that access to the organization’s facilities is limited to authorized persons or approved visitors.
- Wear and display appropriate identification as defined by organizational policy.
- Address security issues in a proactive manner, seeking early involvement of the security department in new brand initiatives, construction projects, and related issues.
- Be aware of and take appropriate action on potential security risks at work.
Managers in company branches will ensure that facilities meet recommended access control standards and comply with other security guidance and will respond to security incidents or concerns, ensuring they are properly reported to the security department.
The security department, in conjunction with other departments, has the responsibility to conduct any investigative activities in cases of known or suspected information loss, compromise, theft, manipulation, denial of access, fraud, or conflict of interest. Security also has the responsibility for involving local authorities as appropriate. Specialized expertise should be engaged through trusted external providers when appropriate.
Specific measures for handling, marking, storage, transmission and transport, copying, declassification, and destruction of sensitive information are provided in our organization’s practices and procedures, available on our intranet.
H. SECURITY AWARENESS AND TRAINING
Each employee and member of the extended enterprise is responsible for protecting our information assets. Each individual must also be aware of the reasons or need for controls, as well as the practices and procedures that comprise our IAP program. Security, in conjunction with the IAP program manager, will provide periodic security awareness training that will include up-to-date information on the risks to information assets and prudent defensive measures. Awareness will also be facilitated through regular newsletter articles, reminders, and Web-based resources.
Our intention is to keep security at the forefront of peoples’ minds and to give everyone the necessary IAP tools, such as easy and quick access to company practices and procedures and useful answers to any questions.
I. PUBLIC RELEASE OF INFORMATION
Direct all media inquiries to the external affairs director to ensure that public information is presented consistently and that information requests are monitored.
J. PUBLICATIONS AND PRESENTATIONS
We encourage the appropriate sharing of information through presentations and publications. Such sharing fosters innovation, networking, market development, public relations, and community awareness.
Any information shared must follow the IAP policy regarding security precautions for each respective classification level. Contact your manager if you have questions regarding the information to be shared.
The external affairs department should be informed of all planned presentations and publications to outside audiences. Presentations and publications that could potentially involve restricted or highly restricted information should be consistent with the organization’s IAP policy.
K. TRAVEL SECURITY PLANNING
Information assets are particularly vulnerable when our employees and associates travel. Therefore, IAP-focused travel security training should be developed. The training should discuss the security environment of the travel destination and review relevant security practices and procedures. These may include visit requests or notifications, reporting procedures, material packaging or forwarding, and preparation of storage media. Any security issue, suspicious activity, or other problem encountered during the trip should be reported to the security department, the IAP program manager, or the traveler’s own manager.
Notebook computers and handheld devices are particularly vulnerable to theft during travel. The use of wireless devices and networks outside of the organization’s facilities is subject to restrictions outlined in the organization’s practices and procedures. In addition, employees should not discuss sensitive information in public places where conversations can be overheard or recorded—or with individuals who do not have a need to know.
L. NEW PROJECTS AND INITIATIVES
All new research, development, product line, or brand initiatives should be protected using the security principles and strategies detailed in the IAP policy and the supporting practices and procedures. An IAP plan should be considered for any projects involving highly restricted or restricted information.
M. IT RESOURCES
Computers, peripherals, and handheld and wireless devices owned or issued by the organization remain the property of the organization and are intended for business use only. All such systems and the information contained on them are subject to monitoring or review by the organization’s officials or representatives, and no expectation of privacy exists in the possession or use of these systems.
Individuals (employees and members of the extended enterprise) are responsible for proper handling and protection of all hardware, firmware, software, data, and information associated with these systems. This includes ensuring that software is properly licensed and that the equipment is reasonably protected from theft, tampering, and misuse.
In addition, individuals are responsible for protecting all information that may reside on such systems, regardless of its sensitivity or subject matter. Information must be properly protected while resident on the system and while being processed, copied, transmitted, received, or exchanged.
Although a limited and reasonable amount of non-business use may be tolerated in some cases (e.g., receiving a personal phone call on a company mobile telephone), such use should be minimal and proper security measures still apply. Under no circumstances will any inappropriate matter (e.g., pornography, illegal activities, defamatory material, threats, etc.) be accessed, downloaded, stored, transmitted, or processed on company-owned or issued systems.
N. WEB PRESENCE
Individuals must ensure that any information they post on-line follows IAP policy procedures for highly restricted, restricted, and internal use information.
O. TRUSTED RELATIONSHIPS (EXTENDED ENTERPRISE)
Specific obligations, practices, and procedures for IAP will be documented in written agreements prior to the execution of any contract, consulting engagement, or other business relationship that may involve the exchange of or access to sensitive information. The agreements may include an NDA, contract clauses, memoranda of understanding, or other formats. The agreement should specify the type of information to which it applies, the identity of the parties involved, the purpose of the agreement, and the time period for which it will remain valid. Specific reference to the IAP policy and other relevant organizational policies, practices, and procedures will be made in all such agreements.
Individuals and entities in a trusted relationship with our organization should be made aware that their obligation to protect certain information may extend beyond the period of their relationship with us or the end of a particular project. In addition to our written agreement, local, state, federal, or international laws and regulations may also apply to information protection and disclosure matters.
P. REPORTING SUSPICIOUS ACTIVITY OR SUSPECTED LOSSES OR COMPROMISES
Individuals should notify the IAP program manager or security department about (1) any inappropriate approaches (in person or electronic) by individuals requesting sensitive information, (2) any other suspicious activity, and (3) any suspected loss or compromise of sensitive information. These issues can be reported as follows [list contact information].
This organization abides by copyright, trademark, trade secret, and patent law.
Employees who violate this policy—either intentionally or through negligence—may be subject to disciplinary action, including possible termination. In addition, employees, individuals, and entities covered under this policy may be subject to administrative actions, criminal prosecution, or civil actions for violations.