Call Us: 888 641 0500
17
MAY
2016

SEC Affirms the Need for Custom Security Policies

The Securities and Exchange Commission (SEC) has been increasing its focus on the cyber security program of registered firms. In a recent SEC action, the SEC has highlighted an important point:  That firms must show that they have worked to customize information security policies...
27
OCT
2014

Security Policies, Standards and Procedures: What’s the Difference?

One of the key challenges to developing effective information security policies is agreeing on a proper nomenclature.   Even before writing the first line of a security policy, many organizations get dragged into lengthy discussions regarding the definitions and nuances of these...
21
MAY
2014

Distributing Information Security Policies

To be effective, information security policies need to be read and understood by every member of the organization. This seemingly simple requirement is now becoming a standard practice to reduce risk, comply with regulations and demonstrate due-diligence.  Why is this control so...
25
MAR
2014

The ROI of Pre-Written Information Security Policies

Often it is difficult to justify security policy development to management.   In many cases, this is due to a lack of understanding on just how detailed and complex policy writing can be.  “Just go find a template on the internet.”   For those of you who have tried...
11
FEB
2014

How to Structure Information Security Policies

We talk to customers every day about  security policies.   One of the most common questions we receive is this:  How should we structure our information security policies?  When we dig deeper, we usually find that this is a really a two-part question regarding policy structure....
17
NOV
2013

Information Security Policies for PCI-DSS V3

The PCI Security Standards Council just released Version 3.0 of the Payment Card Industry Data Security Standard (PCI-DSS), the set of requirements for protecting credit card data.  The update had some significant changes, including a greater focus on third-party information...
15
NOV
2013

ISO 27002:2013 Change Summary Heatmap

The British Standards Institute (BSI)  recently released an updated version of ISO/IEC 27002 – Code of Practice for Information Security Controls.  This was the first major update since the 2005 release.  Many organizations are interested in how the changes will impact...
28
FEB
2011

The Information Security Policy Hierarchy

Developing A Governing Policy & Subsidiary Policies A Maturing Field: As the discipline of information security becomes more sophisticated, codified, standardized, and mature, it is not surprising that the old-fashioned approach to information security policy writing is no...
17
JAN
2011

Levels Of Maturity In The Security Policy Development Process

Litmus Test: One high-tech company that this author was working with recently was considering the acquisition of another high-tech company. In order to gauge the sophistication of the information security effort at the target company, top management at the acquiring company...
23
NOV
2010

Using Security Policies As Catalysts For Internal Change

Security Quality Control: There is much to recommend about the ISO 9000 quality control approach as it is applies to the discipline of information security. In fact the ISO 27001 standard, entitled Information Security Management System (ISMS), in large measure reflects that same...
12