Regardless of an organization’s size, industry, geographical location, or the extent to which it uses computers; information security is an important matter that should be addressed by explicit policies. Some experts say that the lack of a well-defined corporate information security policy is the single biggest problem with most security efforts.
Major data protection laws such as HIPAA (for health care) and GLBA (for financial services) require organizations to have written information security policies regardless of the size and scope of the organization. Over 35 states also have specific data protection laws to protect against identity theft. All of these require a written information security program including information security policies.
For a more detailed set of requirements, see our white paper: The Regulatory Requirements for Written Security Policies.