Ensuring information security is an essential part of any organization’s operations, not only because of practical necessity but also because of legal requirements and obligations to protect the confidentiality of information. Financial institutions are required to take steps to meet these requirements. As a key strategic document, an information security policy defines the goals, strategies, and actions necessary to effectively and comprehensively manage information security within an organization.
What is an Information Security Policy?
An information security policy is a fundamental element in protecting against security lapses. Its overall goal is to identify methods to effectively defend against potential cyberattacks and data breaches that could result in significant financial and reputational losses to the organization. The basic principles of the policy include information confidentiality, data integrity, and system and data availability. IT security policies should be flexible and tailored to an organization’s individual needs. An important aspect is to define exactly which information resources and assets should be protected and their importance to the organization. Security will cover a wide variety of assets, some of which are protected because of potential short-term disruption to the organization, while others are protected because of the risk of loss of business continuity, failure of key business processes, or criminal liability.
Developing an information security policy is just one part of a broader ICT risk management framework under DORA. To support this process, financial entities can use tools that help document contractual relationships, critical functions, and service dependencies. These tools ensure that institutions maintain transparency and control over their ICT ecosystem, including third-party providers. By structuring data on contracts, services, and responsibilities, they also facilitate compliance with audit, supervisory, and reporting obligations set out in the regulation.
ISO/IEC 27001
ISO/IEC 27001, known in its latest version as ISO 27001:2022, is an international standard for information security management systems. It offers structure and guidance to help organizations, regardless of size or industry, establish, implement, maintain and continuously improve information security management systems. The ISO/IEC 27000 family of standards enables organizations to proactively manage data security risks using best practices and principles. It covers aspects such as documentation, management accountability, internal audits, continuous improvement, and corrective and preventive actions.
ISO/IEC 27001 promotes a holistic approach to information security, addressing people, policy and technology. It is a method for managing risk, enhancing cyber resilience and promoting operational excellence. The standard assists organizations in protecting critical information assets and ensures compliance with applicable legislation. The three fundamental principles of ISO/IEC 27001 are confidentiality, integrity and availability, aiming to control access, prevent unauthorized changes and ensure that information is available to authorized individuals when needed.
DORA and Information Security Policies
The need for an information security policy stems from a number of regulations and standards, including those related to the protection of personal data, the security of information and communication systems, the protection of classified information, the National Cybersecurity System, the National Interoperability Framework, and the ISO/IEC 27001 standard. Added to this set is DORA, which directly indicates the need for an information security policy. It states, as part of the risk management framework, in Article 9 (Protection and Prevention) paragraph 4. a), that “In the context of the ICT risk management framework referred to in Article 6(1), financial entities shall: (a) develop and document an information security policy setting out the principles for protecting the availability, authenticity, integrity and confidentiality of the data, information resources and ICT resources of their clients, including, where applicable, the data, information resources and ICT resources of their customers”.
What Does an Information Security Policy Consist of?
DORA directs financial institutions to take a number of measures in the context of ICT risk management. The preparation of an information security policy should be preceded by the identification of the components of the ICT environment, as well as others, including physical elements. Later, by applying risk analysis, the financial entity creates an effective information security policy.
Access rules
The IT security policy defines the use and separation of user and administrator accounts on systems. In the area of password management, this policy should specify requirements for managing user passwords, such as expiration dates or password strength rules. These resources are granted only for legitimate and approved functions and activities. A comprehensive set of policies, procedures, and controls focused on proper access management is established. In the area of authentication security, financial institutions implement strong authentication mechanisms. These mechanisms are based on appropriate standards, special control systems and cryptographic key protection measures. They ensure that data is encrypted according to data classification results and ICT risk assessment processes. Policies should describe rules for identifying employees in physical space and define levels of access to places such as server rooms or document archives.
Incidents, failures and business continuity
Include a description of programs to detect unauthorized changes and incidents, and explain the process for monitoring incidents in the ICT environment. The document should describe how incidents such as unauthorized physical and digital access will be handled. These procedures should include incident reporting, analysis, response and notification, including incidents involving data leakage or loss. Policies should include contingency procedures for emergencies, cyberattacks, or crises and address compliance with applicable industry laws and regulations. All of this should be dynamically adapted to the changing business environment and emerging information security risks. This includes the use of appropriate techniques, methods and protocols, including the implementation of automated mechanisms to isolate information assets in the event of a potential cyberattack.
Employees
This should be a document that is accessible to all employees of the institution and those who use its IT resources. In addition, the information security policy should include a plan for training and developing awareness of threats. This plan includes regular employee training and awareness campaigns. These activities are designed to raise awareness of information security.
Telecommunications
In the context of telecommunications security, the policy should define security measures for communications, both in terms of data transmission and protection against man-in-the-middle attacks. Management of ICT service providers is another important area, including defining information security requirements in contracts and monitoring the activities of providers.
Clearly defining the responsibilities of individual business units and employees for implementing and complying with the security policy is a key component of the policy.
Change management and updates
Financial entities should pay attention to the issue of change management in ICT systems. This process includes software, hardware, firmware components, system specifications and security parameters. Change management is based on risk assessment and is an integral part of the financial entity’s overall change management process. This is to ensure that any changes to ICT systems are recorded, tested, evaluated, approved, implemented and verified in a controlled manner.
Finally, financial entities should have an appropriate and comprehensive documented policy for patches and updates. This is an important element to ensure effective management and maintenance of information systems in a dynamic technology environment.
PDCA Model
At this point, it is worth referring to the ISO/IEC 27001 standard, which is based on the PDCA model of “Plan—Do—Check—Act.” The different steps can be elaborated as follows:
- Plan – Establish an information security policy based on a comprehensive risk analysis and in line with the organization’s goals.
- Do – Implement a system based on the information security policy.
- Review – Monitor and measure the performance of processes against the policy and objectives.
- Act – maintain and improve the system based on the information security policy by taking corrective and preventive actions based on the results of internal audits and other information.
Benefits of Implementing an Information Security Policy
In many companies, the issue of cybersecurity is underestimated, and the lack of a defined security policy and the failure of employees to comply with its recommendations are becoming common practice. This is not only true for small and medium-sized businesses, as even large multinational companies often do not have this document, and its absence is most often discovered after a targeted attack, when it is too late to respond effectively.
There are many benefits to implementing an information security policy. The first category includes minimizing losses due to information security breaches, reducing the risk of incidents, protecting personal data, preparing for potential incidents, and developing scenarios for dealing with breaches. The second category of benefits relates to enhancing the credibility of the organization in the eyes of customers, investors and shareholders, which contributes to a competitive advantage by building a positive image as a company that cares about protecting the rights and interests of business partners and customers. Third, having an information security policy is related to ensuring compliance with regulations, including DORA.
