Category Archives: Writing Security Policies

SEC Affirms the Need for Custom Security Policies

The Securities and Exchange Commission (SEC) has been increasing its focus on the cyber security program of registered firms. In a recent SEC action, the SEC has highlighted an important point:  That firms must show that they have worked to customize information security policies to meet their specific needs. The Safeguards Rule (which the Commission […]

The ROI of Pre-Written Information Security Policies

Often it is difficult to justify security policy development to management.   In many cases, this is due to a lack of understanding on just how detailed and complex policy writing can be.  "Just go find a template on the internet."   For those of you who have tried this approach, you quickly discover that there is [...]

How to Structure Information Security Policies

We talk to customers every day about  security policies.   One of the most common questions we receive is this:  How should we structure our information security policies?  When we dig deeper, we usually find that this is a really a two-part question regarding policy structure. First, how should we name and organize our documents. Second, […]

One Security Policy Document Or A Series Of Documents?

Plan First: We all know that it’s advisable to create a plan before undertaking a large and complex project. For instance, most reasonable people would not consider building a modern residential house, with plumbing, heating, electrical, lighting, and communications systems, if they did not first have a clear and specific plan (aka blueprint). Of course, […]

Levels Of Maturity In The Security Policy Development Process

Litmus Test: One high-tech company that this author was working with recently was considering the acquisition of another high-tech company. In order to gauge the sophistication of the information security effort at the target company, top management at the acquiring company requested a copy of the information security policy. The policy document in that moment [...]

When & Why To Publicly Reveal Internal Security Policies

Never Say Never: In the absence of further information, written information security policies are by default generally considered information that is "for internal use only" or "restricted." There are many good reasons to refuse to release information security policies to outsiders. But the trend these days is towards greater transparency, greater accountability, and a more [...]

Implied Security Policies Create Added Risk

The US Supreme Court has overturned a lower-court ruling and concluded that management has a right to review employee text messages on company-issued devices. If used as a precedent, this case may have far-reaching consequences for employee expectations of privacy in workplace communications. However, the ruling should also serve as a wake-up call for organizations […]

Effective Security Policy Management – Part 2

Part 2 of 7: Seven Elements of an Effective Information Security Policy Management Program Effective Security Policies Part 2. Defined Policy Document Ownership Security Policies can be viewed as contract between senior management, employees and third-parties about the ways in which the organization will protect information. By definition, a contract is between parties, and in […]

Effective Information Security Policy Management – Part 1

How mature is your information security policy program? Do you have a set of outdated documents stored in a binder or intranet site? Or do you have a documented management program that keeps your policies up to date, your users informed and your internal auditors sleeping at night? This is the first article in the [...]