ShopThis article will explore five serious problems preventing information security policies from being implemented, even though these policies may have been written with the best of intentions. Cutting across all five of these causative factors is a theme involving a lack of understanding about the nature of policies. All too often policies are written in …
Tag Archive: security policy management
Nov
23
Using Security Policies As Catalysts For Internal Change
Security Quality Control: There is much to recommend about the ISO 9000 quality control approach as it is applies to the discipline of information security. In fact the ISO 27001 standard, entitled Information Security Management System (ISMS), in large measure reflects that same methodology. In other words, ISO 27001 suggests a continuous improvement approach to …
Sep
10
When & Why To Publicly Reveal Internal Security Policies
Never Say Never: In the absence of further information, written information security policies are by default generally considered information that is “for internal use only” or “restricted.” There are many good reasons to refuse to release information security policies to outsiders. But the trend these days is towards greater transparency, greater accountability, and a more …
Jun
26
The Total Cost of Information Security Policy Management
In this paper we develop a cost model for estimating the Total Cost of Policy Management (TCPM). This paper is designed to help organizations estimate the true costs of ongoing policy management by understanding the details of each phase of security policy management. The Total Cost of Information Security Policy Management
May
26
Regulatory Requirements for Establishing Information Security Roles and Responsibilities
There are many security and privacy regulations that are very specific about the proper assignment of security responsibilities. Yet in many organizations, the information security effort is not managed with the same precision as other disciplines. There are a variety of reasons for this, not the least of which is that information security is a …
Apr
26
The ROI of Pre-written Security Policies
Security Policy University is blog devoted to IT or information security professionals responsible for writing, publishing, maintaining and enforcing information security and data privacy policies. The blog has posts from a variety of experts in the field of information security and data privacy and encourages thoughtful comments. This Information Security Policy University blog is maintained …
Apr
11
Effective Security Policy Management – Part 4
4. Targeted User Groups Not all information security policies are appropriate for every role in the company. Therefore, written information security policy documents should be targeted to specific audiences with the organization. Ideally, these audiences should align with functional user roles within the organization. (See Information Security Roles and Responsibilities Made Easy, by Charles Cresson …
Mar
11
Effective Security Policy Management – Part 3
Part 3. Defined Management Structure To help keep information security policies readable and manageable, it is important to keep the information “level” consistent among the various document types. In other words, it is not advisable to mix policies, procedures, standards and guidelines into your policy documents. An effective approach is to create a policy governance …
Feb
11
Effective Security Policy Management – Part 2
Part 2 of 7: Seven Elements of an Effective Information Security Policy Management Program Effective Security Policies Part 2. Defined Policy Document Ownership Security Policies can be viewed as contract between senior management, employees and third-parties about the ways in which the organization will protect information. By definition, a contract is between parties, and in …
Oct
30
Security Policy and Responsibility
Last month we discussed the security policy problems revealed within the department of Veteran’s Affairs (VA) in the wake of the highly public data breach, including the firing of two employees responsible for information security. Over the last month, employees at both AOL and Ohio University were terminated or resigned in the aftermath of data …