Use these 5 tips to take your information security policies off the shelf and put them into action. Bad Information Security Policies Information Security Policies are the foundation of your cyber security program. They create the “written rules” that define how controls are implemented and audited. They are typically the first set of “evidence” used […]
Category Archives: Writing Security Policies
What is an information security policy? An Information Security Policy is a formal document that defines controls within your information security program. An information security policy is a high-level business rule that must be followed by the organization. Example Policy: All Company X user accounts must be approves by a member of the information technology […]
Any IRS provider can develop a Data Security Plan using a quality Template.
The Securities and Exchange Commission (SEC) has been increasing its focus on the cyber security program of registered firms. In a recent SEC action, the SEC has highlighted an important point: That firms must show that they have worked to customize information security policies to meet their specific needs. The Safeguards Rule (which the Commission […]
Often it is difficult to justify security policy development to management. In many cases, this is due to a lack of understanding on just how detailed and complex policy writing can be. "Just go find a template on the internet." For those of you who have tried this approach, you quickly discover that there is [...]
We talk to customers every day about security policies. One of the most common questions we receive is this: How should we structure our information security policies? When we dig deeper, we usually find that this is a really a two-part question regarding policy structure. First, how should we name and organize our documents. Second, […]
Plan First: We all know that it’s advisable to create a plan before undertaking a large and complex project. For instance, most reasonable people would not consider building a modern residential house, with plumbing, heating, electrical, lighting, and communications systems, if they did not first have a clear and specific plan (aka blueprint). Of course, […]
Litmus Test: One high-tech company that this author was working with recently was considering the acquisition of another high-tech company. In order to gauge the sophistication of the information security effort at the target company, top management at the acquiring company requested a copy of the information security policy. The policy document in that moment [...]
Never Say Never: In the absence of further information, written information security policies are by default generally considered information that is "for internal use only" or "restricted." There are many good reasons to refuse to release information security policies to outsiders. But the trend these days is towards greater transparency, greater accountability, and a more [...]
The US Supreme Court has overturned a lower-court ruling and concluded that management has a right to review employee text messages on company-issued devices. If used as a precedent, this case may have far-reaching consequences for employee expectations of privacy in workplace communications. However, the ruling should also serve as a wake-up call for organizations […]
- 1
- 2