ShopPart 7. A Written Exception Process It may be impossible for every part of the organization to follow all of the information security policies at all times. This is especially true if policies are developed by the legal or information security department without input from business units. Rather than assuming there will be no exceptions …
Category Archive: security policy management
Jun
11
Effective Security Policy Management – Part 6
Part 6. A Verified Audit Trail Security policy documents will not be effective unless they are read and understood by all members of the target audience intended for each document. For some documents, such as Internet Acceptable Use or Code of Conduct, the target audience is likely the entire organization. Each policy document should have …
May
11
Effective Security Policy Management – Part 5
Part 5. An Effective Date Range Written information security policies should have a defined “effective date” and “expiration” or “review” date. This is critical so that individuals and organizations know when they are subject to the rules outlined in the policy, and when they can expect updates. The effective dates within your security policies should …
Apr
11
Effective Security Policy Management – Part 4
4. Targeted User Groups Not all information security policies are appropriate for every role in the company. Therefore, written information security policy documents should be targeted to specific audiences with the organization. Ideally, these audiences should align with functional user roles within the organization. (See Information Security Roles and Responsibilities Made Easy, by Charles Cresson …
Feb
17
Ideas for Security Policy Sanctions
In order for written information security policies to have “teeth”, there must be consequences for employees that do not follow policies, and this fact must be documented as part of the published policy. The “sanctions” portion of most security policies reads something like this: “Failure to comply with this policy will result in disciplinary action, …
Feb
11
Effective Security Policy Management – Part 2
Part 2 of 7: Seven Elements of an Effective Information Security Policy Management Program Effective Security Policies Part 2. Defined Policy Document Ownership Security Policies can be viewed as contract between senior management, employees and third-parties about the ways in which the organization will protect information. By definition, a contract is between parties, and in …
Jan
27
Effective Security Policy Management – Part 1
How mature is your information security policy program? Do you have a set of outdated documents stored in a binder or intranet site? Or do you have a documented management program that keeps your policies up to date, your users informed and your internal auditors sleeping at night? This is the first article in the …
Oct
11
New legislation may help prosecution of ID theft
Companies that have their identities used in phishing scams have little recorse in stopping the attacks. However, new legislation proposed by the Justice Department would expand the ability of enforcement agencies to prosecute identity theft, and adds provisions that may help corporations who are used in phishing scams. The “Identity Theft Enforcement and Restitution Act …
Oct
30
Security Policy and Responsibility
Last month we discussed the security policy problems revealed within the department of Veteran’s Affairs (VA) in the wake of the highly public data breach, including the firing of two employees responsible for information security. Over the last month, employees at both AOL and Ohio University were terminated or resigned in the aftermath of data …
Jan
11
About Security Policy University
Security Policy University is blog devoted to IT or information security professionals responsible for writing, publishing, maintaining and enforcing information security and data privacy policies. The blog has posts from a variety of experts in the field of information security and data privacy and encourages thoughtful comments. This Information Security Policy University blog is maintained …