Got Security Policy? Part 3: Basic Policy

Solutionary Blog and Bloggers

Solutionary is an information security company. What does that mean? Simply put, we help businesses protect their assets, remain fully secure and safe online, and maintain and adhere to compliance regulations and standards. Solutionary's blog is a place to learn about, and discuss, a wide variety of security and compliance topics.

For more information about Solutionary, click here.

To read the Solutionary blog comment policy and disclaimer, click here.

Solutionary Bloggers:

Brad Curtis, Compliance Manager              Jon Heimerl, Director of Strategic Security  Mike Hrabik, President and CTO             Don Gray, Chief Security Strategist       Court Little, Director of Strategic Security Joseph Blankenship, Director of Marketing 
Doug Picotte, Regional Technical Manager
Rob Kraus, Director of Research               Erik Barnett, Regional Technical Manager Jose Hernandez, Security Consultant
Jozef Krakora, Sr Product Manager      Robert Jeffries, Research Analyst, Security Engineering Research Team (SERT)

Subscribe to our blog

Your email:

Browse by Tag

Posts by popularity

Solutionary Minds - Your Information Security Blog Source

Current Articles | RSS Feed RSS Feed

Got Security Policy? Part 3: Basic Policy

Posted by Brad Curtis on Fri, Jul 23, 2010 @ 01:10 PM
  
  
  
Add to delicious  delicious  
  

Implement, Communicate, Update, and Enforce Your Policy

My last post described how to develop a Security Policy from scratch. Some organizations may have a very basic policy in-place but do not communicate, update, or enforce the policy. This post provides some high-level direction on how you can get started.

Note: Most industry standards and regulations (e.g., PCI, SAS-70, GLBA, HIPAA, SOX, etc.), require you have, at a minimum, a written Security Policy that is communicated to employees, contractors, etc.

You do not need a committee to get started on implementing your policy. However, I would suggest a few very important administrative assurances before rolling it out:

  • Technical Writer – have a tech writer develop, or at least, edit the policy
  • HR Review – have HR review the policy to ensure it doesn’t conflict with your corporate culture or invoke an unnecessary burden to the company
  • Legal Review – if an option, you should have a legal firm review the policy to ensure it is in line with local, state, and federal laws and regulations.

Implement

Once you have a Security Policy (albeit in many cases very basic), you can quickly take a step closer to compliance by implementing a few basic principals:

  1. Require all new employees to read your Security Policy (or all employees if you are starting from scratch with a policy for the first time)
  2. Notify employees of changes you make to the policy
  3. State the disciplinary actions, which may result from non-compliance

Update

You should review the policy at least on an annual basis to ensure it is still valid, accurate, and applicable. You will always find there’s information missing or it is outdated.

Communicate

When you do make changes to the policy, ensure you communicate those changes via e-mails or the company Intranet. This will reduce the cycles involved with HR when employee’s question why policy has changed and they were not informed.

Enforce

Train employees on the importance of following the policy and the ramifications for not following it. Require employees to report any instances of non-compliance or incidents to your security officer, HR representative, or executive.

If you implement these basic principals, you are well on your way to having a solid Security Policy and program. Up next, I’ll discuss how you can take implementing your Security Policy to the next level and get you one step closer to a solid security program.

 

describe the image

Tags: , , ,

COMMENTS

Currently, there are no comments. Be the first to post one!
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics