When developing an information security system policy to protect digital infrastructure within an entity, several key points must be addressed to form a solid framework that can be built upon and expanded as needed to address future threats and changing technologies. The document should clearly define the information security objectives, scope of technology the policy covers, and include a procedure addressing how different data shall be classified based on its level of security. During the drafting of this framework, it must be kept in mind that the policy might not apply to everyone within the organization universally, necessitating a need for access level control which must be clearly defined for each titled worker to address their role and permissions within the environment. The policy should conclude with a detailed incidence response plan in the event of a breach or failure which would provide specific actions to implement and name those responsible for their implementation to allow for continuation and recovery of business operations.
Organizations which connect to a public network are inherently at risk due to the wild west style law enforcement of the web which may or may not exist depending on locality and are reactive after a crime has occurred rather than preventative; As a result, enterprise entities are ultimately accountable for the protection of their own cyber infrastructure.. Dimitar Kostadinov of InfoSec notes that thinking logically an IT policy should be all encompassing and, “as broad as the minds of the creators”; he later adds that many organizations will take an IT policy template from the web and do a combination of mixing their practices with some modification of the template to meet their needs. This practice is usually mixed with changing the typical business behavior to meet a policy which is too broad, non-specific, and likely with vulnerable holes included. A solid policy should be modular and have a life cycle during its useful period during which it is reviewed and revised to keep up with the rapidly changing environment of the information technology sector (Kadam, A. W. 2007).
To develop an all-encompassing information security policy is an ambitious project which would require the cooperation of all employees within the business and must have clearly defined goals with objectives that align with the organization. Management must be in agreement with these goals, or it could make the entire project dysfunctional (Kostadinov, D). These goals would be the five pillars of cyber security: Confidentiality, Integrity, Availability, Authenticity, and Non-Repudiation. By clearly defining how individuals play a role in realizing that goal the chances of the policy being successful and a breach being prevented are greatly increased. The next part in the policy to be defined is the technology itself, covering both corporate and personal electronic devices which access corporate resources.
The scope of the policy must be well defined with an inventory done across the entire organization so that all programs, data, systems, facilities, technological infrastructure, and even people including third party vendors which access any of the aforementioned items, are thoughtfully included and managed appropriately (Kostadinov, D). Having this inventory assessment would allow for a comprehensive threat analysis which would allow for vulnerabilities to be remedied, and actionable plans developed to deal with such liabilities. The development of this will allow for answers to critical questions to be formulated in advance and would provide a business with a better opportunity to understand their level of risk. Kadam, A. W from Miel e-Security believes we should ask and answer, “What vulnerabilities exist within a system that could lead to confidential information being leaked? Why do they exist? How could a threat take advantage of a known vulnerability? Knowing the answer to these questions would allow actions to be taken to mitigate risk.
Access Control should be covered in the policy, keeping in mind that all employees within an organization will have different roles and responsibilities and therefore to maintain integrity and protect data, clear permissions should be defined. Certain industrial domains will require this such as in healthcare, only those who need access to patient health information would be able to access them in a well-regulated environment; allowing someone who is not legally able to access those documents would violate HIPAA standards. In addition Kadam, A. W noted that inside attacks have been on the increase and have been described as far more devastating than an outside attack. Separation of concerns, which is a programming practice to keep things separate both for cleanliness, debugging, and security would be a powerful tool to utilize here. Multiple employees may be accessing the same servers within a business but an employee who oversees billing customers shouldn’t necessarily be able to access other employee files which would expose their personal data.
Unfortunately, the most powerful custom tailored security policy cannot prevent all risk; threats can derive from human error, manipulation from bad actors, or even a vulnerability which hasn’t been made public knowledge yet. In the event of a breach, system failure, or other situation which would threaten the CIA triad, there must be a clearly defined recovery plan. The plan should have a specific timeline for events from discovery, alerting management, containment, recovery, and damage control. An investigation into the incident should immediately take place with all parties who share liability being made aware of the incident, regardless of fear of negative outlook. Full transparency should be the goal of incident management and during the investigation the answers for who, what, where, when, and potentially even why should be sought (Kadam, A. W). With these principles in mind an organization can draft a strong, evolving information system policy.

References:
Kostadinov, D. (2020, July 20). Key elements of an information security policy. Infosec. https://www.infosecinstitute.com/resources/management-compliance-auditing/key-elements-information-security-policy
Kadam, A. W. (2007). Information security policy development and implementation. Information Systems Security, 16(5), 246–256. https://doi.org/10.1080/10658980701747251