Part 7. A Written Exception Process It may be impossible for every part of the organization to follow all of the information security policies at all times. This is especially true if policies are developed by the legal or information security department without input from business units. Rather than assuming there will be no exceptions […]
Author Archives: David Lineman
Part 6. A Verified Audit Trail Security policy documents will not be effective unless they are read and understood by all members of the target audience intended for each document. For some documents, such as Internet Acceptable Use or Code of Conduct, the target audience is likely the entire organization. Each policy document should have […]
Part 5. An Effective Date Range Written information security policies should have a defined “effective date” and “expiration” or “review” date. This is critical so that individuals and organizations know when they are subject to the rules outlined in the policy, and when they can expect updates. The effective dates within your security policies should […]
4. Targeted User Groups Not all information security policies are appropriate for every role in the company. Therefore, written information security policy documents should be targeted to specific audiences with the organization. Ideally, these audiences should align with functional user roles within the organization. (See Information Security Roles and Responsibilities Made Easy, by Charles Cresson [...]
Part 3. Defined Management Structure To help keep information security policies readable and manageable, it is important to keep the information “level” consistent among the various document types. In other words, it is not advisable to mix policies, procedures, standards and guidelines into your policy documents. An effective approach is to create a policy governance […]
In order for written information security policies to have “teeth”, there must be consequences for employees that do not follow policies, and this fact must be documented as part of the published policy. The “sanctions” portion of most security policies reads something like this: “Failure to comply with this policy will result in disciplinary action, […]
Part 2 of 7: Seven Elements of an Effective Information Security Policy Management Program Effective Security Policies Part 2. Defined Policy Document Ownership Security Policies can be viewed as contract between senior management, employees and third-parties about the ways in which the organization will protect information. By definition, a contract is between parties, and in […]
How mature is your information security policy program? Do you have a set of outdated documents stored in a binder or intranet site? Or do you have a documented management program that keeps your policies up to date, your users informed and your internal auditors sleeping at night? This is the first article in the [...]
Many organizations are building or updating written information security policies in response to the newly updated Payment Card Industry Data Security Standard (PCI-DSS). In this paper we describe how Information Shield security policy products can be used to save time and money building security policies that address the PCI-DSS requirements. PCI-DSS Policy Compliance Using Information [...]
A few weeks ago, Deloitte Touche Tohmatsu (DTT) released the results of its Annual Global Security Survey for 2008. The survey focuses on the information security needs, practices and priorities of the financial industry, which is among the most regulated of all vertical markets. Not surprisingly, the top priority for the security officers interviewed was [...]