Every organization needs to put down in writing the ways they will handle data. It is boring work. Still, it is important to have an information security policy. Written policies for how you will handle other peoples’ information and how you will keep it secure help clarify things within your organization and may come in handy when applying for insurance. Once you have yours drafted, have your lawyer take a look to make sure there is nothing you have missed.

3 Key Considerations As You Draft Your Information Security Policy

1. What information you handle/store.

Nearly every organization handles or stores data of some sort. What sort do you collect? Examples include credit card numbers, birth dates, contact information, purchase history. Whose information do you collect? Likely categories include staff, customers/clients, donors, and even sometimes visitors to your website. In order to draft a complete information security policy, you will need to consider which information your organization handles and whose information you handle.

2. Access to this information.

Whether you handle a few simple details or a huge collection of data, it is unlikely everyone in your organization needs access to all of the information. Part of stewarding information wisely involves minimizing the access within your organization. Information about client identities may not be the business of the front desk person. Your head of marketing may not need to access customer credit card information. What roles within your organization require access to which information?

Access to the information also speaks of how you retain data. Hard copies of some information can kept in a locked cabinet. Digital copies may be encrypted or stored in a special way. Spelling these things out in your information security policy helps make sure everyone is on the same page.

3. Outside requirements.

Get a handle on the requirements on your organization coming from the outside. If you are in an association of some kind, they may have an information security policy of their own that all associated organizations must use. That would mean most of the work has been done for you. If you are an independent organization, you are still likely subject to legal requirements of some kind. For instance, if you handle credit card numbers you will need to be PCI compliant. Those in healthcare will need to consider HIPAA. If possible, consult with a lawyer to make sure you cover all the bases when it comes to your information security policy.