One of the key challenges to developing effective information security policies is agreeing on a proper nomenclature. Even before writing the first line of a security policy, many organizations get dragged into lengthy discussions regarding the definitions and nuances of these three key elements: Information security policies, standards and procedures. In this article we will […]
Category Archives: security policy development
What is an information security policy? An Information Security Policy is a formal document that defines controls within your information security program. An information security policy is a high-level business rule that must be followed by the organization. Example Policy: All Company X user accounts must be approves by a member of the information technology […]
The Securities and Exchange Commission (SEC) has been increasing its focus on the cyber security program of registered firms. In a recent SEC action, the SEC has highlighted an important point: That firms must show that they have worked to customize information security policies to meet their specific needs. The Safeguards Rule (which the Commission […]
To be effective, information security policies need to be read and understood by every member of the organization. This seemingly simple requirement is now becoming a standard practice to reduce risk, comply with regulations and demonstrate due-diligence. Why is this control so important and how can it be done in practice? Regulatory Requirements Every regulatory […]
Often it is difficult to justify security policy development to management. In many cases, this is due to a lack of understanding on just how detailed and complex policy writing can be. "Just go find a template on the internet." For those of you who have tried this approach, you quickly discover that there is [...]
We talk to customers every day about security policies. One of the most common questions we receive is this: How should we structure our information security policies? When we dig deeper, we usually find that this is a really a two-part question regarding policy structure. First, how should we name and organize our documents. Second, […]
The PCI Security Standards Council just released Version 3.0 of the Payment Card Industry Data Security Standard (PCI-DSS), the set of requirements for protecting credit card data. The update had some significant changes, including a greater focus on third-party information security. There are many articles describing the new changes to PCI-DSS V3, including a nice […]
The British Standards Institute (BSI) recently released an updated version of ISO/IEC 27002 – Code of Practice for Information Security Controls. This was the first major update since the 2005 release. Many organizations are interested in how the changes will impact their information security program. What Really Changed? In our review, very little in the […]
Developing A Governing Policy & Subsidiary Policies A Maturing Field: As the discipline of information security becomes more sophisticated, codified, standardized, and mature, it is not surprising that the old-fashioned approach to information security policy writing is no longer appropriate. We are talking here about the “one-size-fits-all” information security policy that is supposed to apply […]
Litmus Test: One high-tech company that this author was working with recently was considering the acquisition of another high-tech company. In order to gauge the sophistication of the information security effort at the target company, top management at the acquiring company requested a copy of the information security policy. The policy document in that moment [...]
- 1
- 2