Tag Archives: information security policy

Simplify Compliance with NYS-DFS Cyber Law

The New York Department of Financial Services (NYS-DFS) recently updated the model cyber security law (23 NYCRR 500) that requires financial institutions to build, update and validate a robust cyber security program. In this article we discuss key requirements and how organizations can simplify the compliance process. What is the NYS-DFS Cyber Security Law? The […]

Simplify Compliance with EPA Cyber Security Requirements

Understand the key cyber security requirements of the new EPA Cyber Rule for water and see how to effectively build and maintain and written information security program to maintain compliance. What are the EPA water cyber security requirements? The U.S. Environmental Protection Agency (EPA) created a new memorandum in March 2023 to require public water […]

Simplify Compliance with NADA FTC Safeguards Rule

Understand the key requirements of the FTC Safeguards Rule as it applies auto-dealerships and see how to effectively build and maintain and written information security program to maintain compliance. What are the NADA cyber security requirements? The National Automotive Dealers Association (NADA) proposed a set of cyber security requirements to help protect private customer data […]

Key Elements of Information Security Policies

What is an information security policy? An Information Security Policy is a formal document that defines controls within your information security program. An information security policy is a high-level business rule that must be followed by the organization. Example Policy: All Company X user accounts must be approves by a member of the information technology […]

Simplify Compliance with FTC Safeguards Rule

Understand the key requirements of the FTC Safeguards Rule and how to effectively build and maintain and written information security program to maintain compliance. What is the FTC Safeguards Rule? The Federal Trade Commission (FTC) created the Standards for Safeguarding Customer Information (“FTC Safeguards Rule”) to ensure that businesses maintain a cyber security program to protect private […]

Security Policies Key to HIPAA BA Compliance

In January the Department of Health and Human Services (HHS) released the much-awaited final updates to the HIPAA Security, Privacy and Enforcement Rules. These updates, known as the “Omnibus Rule” were required by the HITECH Act and have been in proposal form since 2010.  The new law incorporates some major changes in the HIPAA security […]

Security Policies to Address Internal Threat

We hear reports of new data breaches almost daily. While most of them are fairly complex stories, they most always begin at some point with a human "insider" making a mistake. In fact, 2011 could be considered the “Year of the Insider.” From the RSA hack and Sony Playstation breach, to the Epsilon e-mail breach [...]

The Information Security Policy Hierarchy

Developing A Governing Policy & Subsidiary Policies A Maturing Field: As the discipline of information security becomes more sophisticated, codified, standardized, and mature, it is not surprising that the old-fashioned approach to information security policy writing is no longer appropriate. We are talking here about the “one-size-fits-all” information security policy that is supposed to apply […]

Five Reasons Why Security Policies Don’t Get Implemented

This article will explore five serious problems preventing information security policies from being implemented, even though these policies may have been written with the best of intentions. Cutting across all five of these causative factors is a theme involving a lack of understanding about the nature of policies. All too often policies are written in […]

Security Policy Lessons from SCADA Attacks

Reports from the last few months have generated another wake-up call for those concerned with the security of the nation’s critical infrastructure. In addition to audit reports of widespread vulnerabilities among agencies managing the infrastructure, the first malicious software was discovered “in the wild” that specifically targets the SCADA system employed to manage these networks. [...]