The paper discusses the importance of information security policies within an information security management system (ISMS), including the benefits of using Information Shield publications in obtaining certification against the new ISO 27001 standard. Information Security Policies and ISO 27001 certification
Author Archives: David Lineman
The Information Security Policy Weblog is published by Information Shield. We provide this weblog (aka blog) to share and discuss various ideas that relate to the protection of both corporate and personal information through information security policies. We hope this will provide a forum to discuss real-world issues involving the practice of protecting information. We […]
Is it possible to declare some security policies as more critical than others? When it comes to protecting sensitive data, all security policies are important to reduce the risk of loss. However, when we look at risk mitigation from the perspective of stopping the latest attacks, some security controls rise to the top. In September […]
Part 7. A Written Exception Process It may be impossible for every part of the organization to follow all of the information security policies at all times. This is especially true if policies are developed by the legal or information security department without input from business units. Rather than assuming there will be no exceptions […]
Part 6. A Verified Audit Trail Security policy documents will not be effective unless they are read and understood by all members of the target audience intended for each document. For some documents, such as Internet Acceptable Use or Code of Conduct, the target audience is likely the entire organization. Each policy document should have […]
Part 5. An Effective Date Range Written information security policies should have a defined “effective date” and “expiration” or “review” date. This is critical so that individuals and organizations know when they are subject to the rules outlined in the policy, and when they can expect updates. The effective dates within your security policies should […]
4. Targeted User Groups Not all information security policies are appropriate for every role in the company. Therefore, written information security policy documents should be targeted to specific audiences with the organization. Ideally, these audiences should align with functional user roles within the organization. (See Information Security Roles and Responsibilities Made Easy, by Charles Cresson [...]
Part 3. Defined Management Structure To help keep information security policies readable and manageable, it is important to keep the information “level” consistent among the various document types. In other words, it is not advisable to mix policies, procedures, standards and guidelines into your policy documents. An effective approach is to create a policy governance […]
In order for written information security policies to have “teeth”, there must be consequences for employees that do not follow policies, and this fact must be documented as part of the published policy. The “sanctions” portion of most security policies reads something like this: “Failure to comply with this policy will result in disciplinary action, […]
Part 2 of 7: Seven Elements of an Effective Information Security Policy Management Program Effective Security Policies Part 2. Defined Policy Document Ownership Security Policies can be viewed as contract between senior management, employees and third-parties about the ways in which the organization will protect information. By definition, a contract is between parties, and in […]