Category Archives: Information Security Policies

Information Shield Enables Department of Labor Cyber Requirements

In April 2021 the United States Department of Labor (DOL) issued its first guidance to help retirement plan sponsors and administrators implement a sound cyber security program to protect personal data.   The Department of Labor estimates that over $9 trillion in assets are held in various retirement plans, making them prime targets for hackers.   The Employee […]

Simplify Compliance with new ACC Security Controls

Attorneys Create New Control Framework The Association of Corporate Counsel (ACC), which represents over 42,000 in-house counsel across 85 countries, recently released a new control model to help organizations interact with outside parties when dealing with sensitive information.  This is among the many new business domains areas where vendor risk management has become a key issue. […]

Information Security Policy Lessons from Recent SEC Actions

Many financial services firms are currently building programs to comply with the information security requirements of the Securities and Exchange Commission (SEC). In this article we discuss some key information security policy and compliance lessons that organizations can learn and adopt for their own programs.   In 2016 the SEC has increased its focus on cyber […]

Distributing Information Security Policies

To be effective, information security policies need to be read and understood by every member of the organization. This seemingly simple requirement is now becoming a standard practice to reduce risk, comply with regulations and demonstrate due-diligence.  Why is this control so important and how can it be done in practice? Regulatory Requirements Every regulatory […]

New Point-of-Sale Device Security Policy

The piercing lens of information security changes focus quite often.  In recent weeks the security vulnerability lens is focused on point-of-sale (POS) devices.  And there seems to be good reason.  The Target breach, perhaps the largest reporting breach in history, seems to be the result of malicious software inserted into these devices via a network hole […]

Information Security Policies According to NIST

Five Best Practices from NIST 800-53 In April 2013, NIST made the final updates to their complete catalog of information security requirements, Special Publication 800-53 Revision 4 – Security and Privacy Controls for Federal Information Systems and Organizations.  The catalog is BIG – it contains hundreds of information security and data privacy requirements organized into […]

Security Policies to implement the DSD Top 35

In July 2011, The Australian Defence Signals Directorate (DSD) published an updated list of their Top 35 Mitigation Strategies. This list was based on the analysis of real-world events within the government agencies, and is designed to identify the top set of controls that would have the most impact on reducing actual incidents. The list […]

The Information Security Policy Hierarchy

Developing A Governing Policy & Subsidiary Policies A Maturing Field: As the discipline of information security becomes more sophisticated, codified, standardized, and mature, it is not surprising that the old-fashioned approach to information security policy writing is no longer appropriate. We are talking here about the “one-size-fits-all” information security policy that is supposed to apply […]

Security Policy on Social Networking Sites

Social Networking sites present some unique challenges for organizations that must attract and keep young workers. Is the use of social networking sites at work a necessary perk or an unacceptable risk to corporate information? Some argue that organizations must allow access to social networking and other Web 2.0 sites to help attract a more […]