Security Policy and Data Privacy Research and Whitepapers

We are pleased to offer the following papers for complimentary download. If you would like to be notified when new research is available, please sign up for our Policy Solutions Newsletter. All files are Adobe PDF or HTML and open in a separate window.  

Visit our Security Policy Blog and get in on the discussion!

• Security Policy Compliance with the MA State Identify Theft Law (Updated)
  Any organization that collects sensitive information from MA state residents must have a documented security program, including written information security and data privacy policies. See how to save money and get a jump-start on compliance with this step-by-step whitepaper on complying with the regulation.
• The Importance of Documenting Information Security Roles and Responsibilities (Updated)
  This whitepaper by Charles Cresson Wood, CISSP, CISM, CISA discusses critical reasons why organizations must define and document information security roles and responsibilities including the various regulatory requirements and tips for gaining management support.
• PCI Policy Compliance Using Information Security Policies (NEW)
  Many organizations are building or updating written information security policies in response to the newly updated Payment Card Industry Data Security Standard (PCI-DSS). In this paper we describe how Information Shield security policy products can be used to save time and money building security policies that address the PCI-DSS requirements.
• Policy Solution Table for Payment Card Industry (PCI) Data Security Standard (NEW)
  For organizations that must develop information security policies for PCI DDS, this table demonstrates how the information security policy requirements of the Payment Card Industry Data Security Standard can be addressed by Information Shield products including Information Security Policies Made Easy, Version 10 and Information Security Roles and Responsibilities Made Easy, Version 2.0.
• Security Policy Considerations for the Junk FAX Prevention Act
  New FCC rules for the Junk Fax Prevention Act of 2005 have changed the way organizations must handle outbound customer communications via FAX technology. In this article we look at the main provisions of the recent ruling and suggest some audits of your information security policies that may help reduce the risk of violating the new FAX requirements.
• Information Security Policies and ISO 27001 certification
  The new whitepaper discusses the importance of information security policies within an information security management system, including the benefits of using Information Shield publications in obtaining certification against the new standard.
• FACTA - Policy Implications for Business
  A summary of the recent data protection provisions of FACTA and their implications for organizational information security and privacy policies.
• A Brief History of Regulatory Time
  A summary of major information security regulations and their importance to recent trends in compliance.
• Compliance Motivation: The Information Security Diet
  A discussion on how to motivate employees to follow information security principles.
• Does COPPA Apply to Your Business?
  A quick guide to determine if the Children's Online Privacy Protection Act applies to your organization.

• Security Policies to Address the Insider Threat (NEW)
  In this paper we will break down the various attributes of the insider threat, and suggest sample information security policies that can help reduce the likelihood of current and former employees causing harm to the organization.
• The Total Cost of Information Security Policy Management (NEW)
  In this paper we develop a cost model for estimating the Total Cost of Policy Management (TCPM). This paper is designed to help organizations estimate the true costs of ongoing policy management and build a business case for the purchase of the PolicyShield Security Policy Subscription Service.
• Enabling Business with Information Security and Privacy Policies (NEW)
  With a dramatic increase in legislation and consumer awareness of identity theft, businesses are finding that security and privacy policies are becoming an essential business tool. In some highly regulated market, it is difficult to do business at all without a sound set of policies. In this overview we discuss various ways that effective, written information security and data privacy policies can actually help increase sales and enable business with key partners.
• The Business Need for Updated Information Security Policies (NEW)
  In order to effectively reduce risk and maintain a proper governance structure, organizations must periodically update written security policies as part of an ongoing management process. In this overview we discuss the business requirements for updating security policies, some of the organizational challenges faced by organizations trying to implement policy updates, and some time-saving solutions for addressing these challenges.
• Information Disposal Incidents and Policy Checkup (NEW)
  Quicker that you can say “dumpster diving” – your organization’s sensitive information can be exposed. To help you consider the variety of potential controls for information destruction, we decided to review some real-world incidents and consider the security policy implications.
• Information Security Policies Address Top Federal Information Risks
  This report illustrates how our library of information security policies addresses each of the top ten risks to sensitive information identified by the Identity Theft Task Force.
• The ROI of Pre-written Policies(NEW)
  This whitepaper discusses the steps in the policy development process and builds a simple ROI model for analyzing "build versus buy" when developing information security policies.
• Seven Elements of an Effective Information Security Policy Management Program (NEW)
  In this paper we review key characteristics of an effective policy management program. These characteristics are culled from leading practices, security and privacy frameworks, and incidents involving information security policies. Organizations can use this quick checklist to evaluate the maturity of their existing security policy management programs.
• Security Policy Controls for Home-based Employee Access
  Over 85 percent of internet attacks are now against the home-based internet user. In this paper we review security policy controls to help reduce the risk of employees accessing corporate resources from home-based computers.
• Information Security Policy and Responsibility
  In this paper we discuss important information security policy lessons from recent high-profile data breaches and the resulting public response of the effected organizations.
• 5 Steps to Documented User Compliance
  In this paper we present five key steps for providing audit documentation that all employees and contractors have read and understood the information security policies that apply to them.
• Information Security Policy Concerns for Laptops and Portable Devices
  Discusses recent data breaches and some of the basic security policy controls required for the protection of customer data on portable devices.
• Policy Controls for Building Secure Applications
  More attacks are targeting the application layer, making the need for secure applications more critical than ever. This article examines security policy controls for secure application development.
• The New ISO 17799:2005 - Security Policy Implications For Business
  This whitepaper by David Lineman highlights the major changes introduced in the new information security standard and how these changes may impact an organization's information security management system.
• Building and Deploying Effective Policies
  This whitepaper discusses 10 steps that organizations can take to make their security policies more effective and more enforceable. Includes references to international security standards and regulatory requirements for policy and awareness.
• Records Retention and Security Regulations...Think About It!
  Discusses recent regulatory requirements for records retention and how your organization can be prepared for compliance. From Rebecca Herold's publication within DataSecurity Management.
• Information Security Policy Issues for Incident Disclosure and Notification
  With the passing of new state regulations requiring customer notification in the event of a data privacy breach, organizations must make sure their information security policies properly address notification requirement. In this paper we discuss the security policy aspects on incident response and public disclosure.
• The Eyes Have It - Camera Cell Phone Security
  This paper discusses the security and privacy issues around camera cell phones, including recent legislation to restrict these devices. Previously published as a March 2004 CSI Alert by Rebecca Herold.

• Regulatory Requirements for Security Awareness and Training
  Many organizations are developing a security awareness program in response to legal or regulatory requirements. This table provides a partial list of the numerous federal, state and international regulations and security frameworks that include security awareness and training as part of the data protection requirements.
• Awareness Materials Design and Development
  Methods for creating a security awareness program including 85 specific recommendations for making your program more effective and interesting. By Rebecca Herold, CISSP
• Herding Grasshoppers: Regulatory Awareness Requirements
  A discussion of the regulatory requirements for information security training and awareness, including methods to evaluate the effectiveness of your training program.

• OECD Privacy Impact Assessments - This series of articles discusses the various data privacy requirements of the O.E.C.D. Privacy Principles, including sample data privacy policies and assessment questions from the Privacy Management Tookit.
• What Is The Difference Between Security and Privacy? (NEW)
  Rebecca Herold discusses the proper interaction between the privacy and security functions of an organization.
• In Search of the Chief Privacy Officer
  Rebecca Herold goes undercover to discover if organizations have been following the recommendations of industry analysts and appointing senior executives responsible for privacy.
• The USA PATRIOT ACT - Considerations for Business.
  A guide for companies to evaluate the privacy implications of the USA PATRIOT Act, including recent rulings on certain provisions of the Act. (This article also published in the November 2004 CSI Alert newsletter
• Does California Privacy Law SB168 Apply To Your Organization?
  A guide for companies to evaluate the privacy implications of California SB168, including a discussion of using Social Security Numbers.
• Are You Privacy Savvy? Determining Your Organization's Privacy Practices Grade
  A quick evaluation guide for businesses concerned with their data privacy program.
• EU Data Protection Directive of 1995
  An FAQ on international privacy regulations with a focus on the EU Data Protection Directive.