Tag Archives: developing security policies

5 Elements of Effective Information Security Policies

Use these 5 tips to take your information security policies off the shelf and put them into action. Bad Information Security Policies Information Security Policies are the foundation of your cyber security program. They create the “written rules” that define how controls are implemented and audited. They are typically the first set of “evidence” used […]

Information Shield Enables SEC Cyber Compliance

April 13, 2022 – Information Shield today announced support for the new 2022 proposed SEC Cyber Risk requirements. Organizations can address the new security policy and record-keeping requirements in a single integrated solution. “The SEC has continued to refine the requirements for investment groups to protect information.” Said David Lineman, President of Information Shield. “This […]

InformationShield – NetDiligence Alliance Aids Cyber Insurance

Houston, Texas – Information Shield and NetDiligence announced a strategic alliance to enhance information security options within the cyber insurance industry.  NetDiligence®  operates the ERiskHUB(TM), a platform that provides loss-mitigation and breach response solutions to dozens of leading cyber insurance providers and brokers.   As part of the alliance, Information Shield’s new platform – ComplianceShield – […]

A Security Policy Framework for IT Risk Assessments

The completion of an information security risk assessment is a key requirement in all information security frameworks, including ISO 27002, NIST 800:53, HIPAA and PCI-DSS.  A recent analysis of regulatory enforcement under HIPAA identifies risk assessment as a key area of weakness. While risk assessments are required, the specifics for how to perform a risk […]

Distributing Information Security Policies

To be effective, information security policies need to be read and understood by every member of the organization. This seemingly simple requirement is now becoming a standard practice to reduce risk, comply with regulations and demonstrate due-diligence.  Why is this control so important and how can it be done in practice? Regulatory Requirements Every regulatory […]

New Security Policy Map for US CyberSecurity Framework

In February 2014, NIST released version 1.0 of the Framework for Improving Critical Infrastructure Cyber-security.   The frameworks is intended to be a "voluntary" set of standards that can help small and medium sized businesses develop an information security program.   (Part of the problem, of course, is that we don't need another framework - but a [...]

The ROI of Pre-Written Information Security Policies

Often it is difficult to justify security policy development to management.   In many cases, this is due to a lack of understanding on just how detailed and complex policy writing can be.  "Just go find a template on the internet."   For those of you who have tried this approach, you quickly discover that there is [...]

How to Structure Information Security Policies

We talk to customers every day about  security policies.   One of the most common questions we receive is this:  How should we structure our information security policies?  When we dig deeper, we usually find that this is a really a two-part question regarding policy structure. First, how should we name and organize our documents. Second, […]

ISO 27002:2013 Change Summary Heatmap

The British Standards Institute (BSI)  recently released an updated version of ISO/IEC 27002 – Code of Practice for Information Security Controls.  This was the first major update since the 2005 release.  Many organizations are interested in how the changes will impact their information security program. What Really Changed? In our review, very little in the […]

Information Security Policies According to NIST

Five Best Practices from NIST 800-53 In April 2013, NIST made the final updates to their complete catalog of information security requirements, Special Publication 800-53 Revision 4 – Security and Privacy Controls for Federal Information Systems and Organizations.  The catalog is BIG – it contains hundreds of information security and data privacy requirements organized into […]