How mature is your information security policy program? Do you have a set of outdated documents stored in a binder or intranet site? Or do you have a documented management program that keeps your policies up to date, your users informed and your internal auditors sleeping at night?
Information Shield, Inc.
Policy
Research
Eight Elements of
Effective Information
Security Policies
Information Shield, Inc. About Information Shield 2660 Bering Dr. Houston, TX 77057 Information Shield is a global provider of security policy, data privacy www.informationshield.com and security awareness solutions that enable organizations to effectively comply with international security and privacy regulations. sales@informationshield.com Information Shield products are used by over 7000 customers in 59 P: 888.641.0505 countries worldwide. F: 866.304.6704Eight Elements of Effective Information Security Policies Page 1 Information Shield, Inc.
Table of Contents Information Shield Summary Whitepaper
Defining Effective Eight Elements of Effective Information Security Information Security Policies Policies . 3 Information Shield Eight Elements of Effective Information Security Policies . 3 Summary How mature is your information security policy program? Do you have a set of outdated documents Information Shield stored in a binder or intranet site? Or do you have a Policy Solutions . 9 documented management program that keeps your policies up to date, your users informed and your internal auditors sleeping at night? References . 10 In this paper we review eight key characteristics of an effective policy management program. These elements are culled from leading practices, security and privacy frameworks, and incidents involving information security policies. Organizations can use this checklist to evaluate the maturity of their existing information security policies.
All Contents Copyright 2009, Information Shield, Inc. All rights reserved. All trademarks cited herein are the property of their respective owners. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under § 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the copyright holder. Limit of Liability/Disclaimer of Warranty: While the copyright holders, publishers, and authors have used their best efforts in preparing this work, they make no representations or warranties with respect to the accuracy or completeness of its contents and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. The advice and strategies contained herein are based on the author's experience and may not be usable for your situation. You should consult with an information security professional where appropriate. Neither the publishers nor authors shall be liable for any loss of profit or any other commercial damages, including, but not limited to, special, incidental, consequential, or other damages.
Eight Elements of Effective Information Security Policies Page 2 Information Shield, Inc.
Defining Effective Information Security Policies Most organizations have some form of written security policies. However, management at these same organizations is often uncertain if their security policies are actually "good enough". How do they compare against other organizations? How do they compare against international standards and best-practices? Will their written policies actually help reduce legal liability? In this paper, we identify common attributes of effective security policy programs. The elements are determined using written guidance from data protection laws (such as HIPAA and GLBA) as well as international security frameworks such as ISO 27002 and COBIT. We also incorporate lessons learned from regulatory enforcement actions and legal precedents involving policy violations. Eight Elements of Effective Security Policies
1. Written Documents with Version Control Even though it seems obvious, nearly every information security standard and framework specifically requires information security policies to be written. Since policies define management's expectations and stated objectives for protecting information, policies cannot be "implied" - but have to be documented. Having a "written policy document" is the first key control established within the international [1]standard ISO/IEC 1-7799:2005 (ISO 27002) , and is critical to performing both internal and external ... [download for more]
