Firm Up Your Data Security


Given the many threats organizations face in protecting critical information and processes, an information security policy is arguably one of the most important documents an organization can create. Consider these best practices for creating a new security policy and keeping an existing policy up to date.


 Ensure that senior management will support the security policy. Bring senior management into the policy creation process early, and make sure the policies are designed to fulfill the business objectives of the organization. Set up a series of interview questions intended to provide a clear understanding of their position on security risk.


 Consider using a security policy template or other authoritative guideline. This will provide the basic framework for the policy document and can be customized to address the needs of a specific organization. Good resources can be found at the ISO series (27001, 27002 or 27005 at; the National Institute of Standards and Technology (NIST) Publication 800-14 at; and ISACA’s Control Objectives for Information and related Technology (CoBIT) at


 Include consequences for noncompliance. Work with the human resources and legal departments to include appropriate sanctions, which can include termination or prosecution.


 Thoroughly review applicable laws. Ensure the security policy complies with the organization’s regulatory environment, including: FTC Red Flag Rules, Health Insurance Portability and Accountability Act (HIPAA) regulations on the release of medical information, the Gramm-Leach-Bliley Act, applicable state-specific laws, and e-discovery requirements.


 Use clear and concise ideas to communicate the security policy. Use directive wording (must, will, etc.) and nontechnical terms that employees can understand. Policies should be written independent of specific operating systems or software applications.


 Require a regular review process. This should be done at least annually by a team or officer designated by senior management to ensure the policy does not become obsolete. A clear process, called version control, should be designed to provide for how appropriate policy changes can be made, who will be responsible for approving changes, and the frequency with which this process should occur.


 Review all internal controls for any appropriate modification, including all audit reports since the previous review. Assess new vulnerabilities that may have arisen since the last review and develop appropriate countermeasures. Have the human resources and legal departments determine any new regulatory or legal restrictions relevant to the security policy. Consider storing the security policy on an access-restricted Web site, and forward copies of revised policy documents to appropriate employees. Ensure appropriate controls are incorporated in the internal control process. Internal security audits should be conducted regularly. A detailed audit report should be discussed with, and any material deficiencies addressed by, an audit committee designated by senior management.


 Test the system. Check the disaster recovery procedures and consider running a mock shutdown, including restoring backup media to confirm that a restore process will work properly. Review appropriate insurance policies and update coverage and benefits as needed. Make sure employees have access only to information necessary for their function.


 Use the security policy as an opportunity to establish an ongoing security-training program. Everyone in the organization should understand his or her role in maintaining security for the company’s data and employees.


—By Ron Box, CPA/CITP/CFF, CISSP, ( CFO and CIO for Joe Money Machinery Co., based in Birmingham, Ala.


More from the JofA:


 Find us on Facebook      Follow us on Twitter



Questions to ask before committing to the cloud

Cloud computing has its pros and cons. In this report, we answer common questions CPAs may have as they consider transitioning partially or fully to the cloud.


News quiz: Experts offer guidance on accounting standards

Take this short quiz to see how much you know about the news, including a couple of SEC announcements, and facts cited in the guidance experts have offered on accounting standards.


Auditing risks in culture

Cultural flaws can seriously damage an organization. Here’s how internal auditors can reduce risks by embedding culture audits into existing audit programs.