The Regulatory Requirements for Written Information Security Policies
Some organizations still receive little management support or funding for a sound information security policy program. Within the last several years, however, numerous federal, state and international regulations have been passed that require the protection of information. Many organizations are now enhancing their information security policies in response to legal and regulatory requirements.
In some cases, these regulations are very specific about the requirements for written security and privacy policies. Examples include HIPAA and PCI-DSS. In other cases, a regulation simply requires safeguards that are “appropriate” for the size and type of organization. In these cases, enforcement agencies and auditors must defer to accepted best practices or frameworks for guidance, all of which require written policies. Examples of these are the Control Objectives for Information Technology (COBIT™) and ISO/IEC 27002.
The following table contains a partial list of security or privacy-related regulations and their specific information security policy requirements. Where appropriate, the list includes the security policy requirements of several key frameworks used to manage compliance with various regulations.
Regulation/Framework | Industry/Country | Policy Requirement |
HIPAA (Health Insurance Portability and Accountability Act of 1996)
Security Final Rule
|
Healthcare (U.S.)
|
Policies and Procedures 164.316 (a)
(R) Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart.
|
Sarbanes-Oxley Act, Section 404 – based on COBIT (Control Objectives for Information Technology)
Control Objectives, Section 6: Communicate Management Aims and directions.
|
All Publicly Traded Companies (U.S)
|
6.2 Management’s Responsibility for Policies
“Management should assume full responsibility for formulating, developing, documenting, promulgating and controlling policies covering general aims and directives.”
|
PCI-DSS
Payment Card Industry Data Security Standard
|
Financial Services
(International)
|
Requirement 12: Maintain a policy that addresses information security |
Gramm-Leach-Bliley Act (GLBA) Title V – Section 501
FFIEC – Interagency Guidelines Establishing Standards For Safeguarding Customer Information
|
Financial Services (U.S.)
|
“Each Bank shall implement a comprehensive written information security program [policies] that includes administrative, technical and physical safeguards.”
|
NERC-FERC Cyber Security Standard
CIP-003-1 Security Management Controls
|
Energy/Infrastructure (U.S.)
|
Requirement 1.
The Responsible Entity shall create and maintain a cyber security policy that addresses the requirements of this standard and the governance of the cyber security controls.
|
Federal Information Security Management Act (FISMA)
NIST SP 800-53
|
Federal Government (U.S.)
|
“(a) The head of each [Federal] agency shall delegate to the agency Chief Information Officer ensuring that the agency effectively implements and maintains information security policies, procedures, and control techniques;”
|
PIPEDA (Bill C6) – Personal Information Protection and Electronic Document Act
|
All Industries (Canada)
|
4.1 Principle 1 – Accountability
Organizations shall implement policies and practices to give effect to the principles.
|
EU Data Protection Directive
|
All Industries (European Union)
|
Organizations must “implement appropriate technical and organizational measures to protect personal data.”
|
ISO/IEC 27002:2013
Section 1.1 Information Security Policy Document
|
Information Security Framework
|
A written policy document should be available to all employees responsible for information security.
|
US Cyber Security Framework (CSF) |
Security Framework
|
ID.GV-1: Organizational information security policy
|
This table is one of the many resources available within Information Security Policies Made Easy.