World class Security Policy template package from Security Bastion
An Information security policy is a special form of documented business rules directed from senior management. Clearly there was no requirement for them 40 years back. The surge of information-processing systems such as intelligent smart phones, the internet, and personal electronic assistants has motivated this transformation. Those employed in the business enterprise setting will need to have distinct and conclusive directions that will help them in securing information assets. In the same way it truly is unthinkable that millions of car drivers might possibly be on the road with no laws and regulations, also it is unthinkable that an incredible number of business people would operate systems without information security policies.
A little information on policy compliance
Information Security policy and other types compliance have always been understood to be a part of just doing good business. Banking and financial industries have lived under regulation since the creation of the financial markets. In addition industries such as healthcare have gone under heavy oversight as well as other business sectors.
To comply with any of today’s regulations one must gain a thorough understanding of the particular regulation that is applicable to you. Confusion and misinformation cause organizations to lose millions day after day generating projects which are unnecessary and don’t provide any safeguards or cover gaps in the organization security compliance efforts.
What’s driving policy Compliance?
Policy compliance is generally introduced in the event of some sort of negative incident. A good example of this would be the securities and exchange Acts in the United States which was brought about in response to the stock market crash in 1929. The US Congress understood that better reporting requirements were necessary to ensure that investors would receive more accurate information and make better informed decisions. This worked at least for the second half of the 20th century.
Globalization and the fast pace of information technology has brought about a whole new range of threats and security risks.
In the nineties, laws and regulations for example the Health Insurance Portability and Accountability Act (HIPAA) and also the Financial Services Modernization Act – aka the Gramm-Leach-Bliley Act (GLBA) – had been approved in the United States to safeguard the privacy of private data. Every one of these polices has specific prerequisites for the security associated with Personally Identifiable Information (PII). Additionally, both these polices call for yearly risk assessments to ascertain compliance with the specifications. For GLBA, the audits are carried out by auditors from the govt bureau that oversees a specific financial institution. Instances of these types of organizations range from the Federal Reserve Bank (FRB), the Federal Deposit
Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), and also the National Association of Credit Bureaus (NACB). During the 2000s, a number of policy makers thought that the failure associated with a pair of huge public companies – Enron and WorldCom – might have been recognized as well as avoided had suitable controls and accountability measures been in place. These, and several other less-publicized meltdowns, brought on the passing of the Sarbanes-Oxley Act in 2002.
Information security policy | important tips to remember!
When considering a revamped or new information security policy framework it is important to understand that this framework is merely not for the sake of any compliance efforts. If this attitude is taken the result will be a total and utter train wreck (believe me I’ve been there). During my time as a an information security management consultant I’ve seen many organizations go down this road thinking that they can introduce a good solid policy structure around a certain segment of information which has to comply to applicable compliance requirements. This has resulted in the spinning up project after project in an effort to hunt down application databases and servers which process store certain types of information which have to comply with the regulation in question. When these projects are complete and they have a dubious list of applicable Information Systems which they hope covers all the necessary information systems. From here on in the task gets even more difficult as the company tries to segment the applicable Information Systems from the other parts of their operational environment.
New project teams are hired to perform such tasks and work out the problems of segmentation from one system from another; consultants are hired to review architectural documents to give their opinions and report on if the segmentation is good enough to remove certain servers from compliance. It just gets messier and more complicated, people start losing their tempers and everybody loses sight of the fact that the reason the policy is being put in place is to make the organization’s operations secure and effective, and to ensure they run in harmony with the underlying objectives of policies that underpin the organization security management framework.
You should never forget about the big picture, this may sound a little obvious but I have seen more organizations plan their security controls around compliance than not. This has left them completely open to attack and misuses due to the fact that they missed the deployment of key controls on essential systems. There have been a countless number of security violations in companies which are certified as compliant.
Get a more detailed information on how to develop your information security policy Please refer to the following page “information security policy development process“
A good reference can be found here