Firm Up Your Data Security


Given the many threats organizations face in protecting critical information and processes, an information security policy is arguably one of the most important documents an organization can create. Consider these best practices for creating a new security policy and keeping an existing policy up to date.


 Ensure that senior management will support the security policy. Bring senior management into the policy creation process early, and make sure the policies are designed to fulfill the business objectives of the organization. Set up a series of interview questions intended to provide a clear understanding of their position on security risk.


 Consider using a security policy template or other authoritative guideline. This will provide the basic framework for the policy document and can be customized to address the needs of a specific organization. Good resources can be found at the ISO series (27001, 27002 or 27005 at; the National Institute of Standards and Technology (NIST) Publication 800-14 at; and ISACA’s Control Objectives for Information and related Technology (CoBIT) at


 Include consequences for noncompliance. Work with the human resources and legal departments to include appropriate sanctions, which can include termination or prosecution.


 Thoroughly review applicable laws. Ensure the security policy complies with the organization’s regulatory environment, including: FTC Red Flag Rules, Health Insurance Portability and Accountability Act (HIPAA) regulations on the release of medical information, the Gramm-Leach-Bliley Act, applicable state-specific laws, and e-discovery requirements.


 Use clear and concise ideas to communicate the security policy. Use directive wording (must, will, etc.) and nontechnical terms that employees can understand. Policies should be written independent of specific operating systems or software applications.


 Require a regular review process. This should be done at least annually by a team or officer designated by senior management to ensure the policy does not become obsolete. A clear process, called version control, should be designed to provide for how appropriate policy changes can be made, who will be responsible for approving changes, and the frequency with which this process should occur.


 Review all internal controls for any appropriate modification, including all audit reports since the previous review. Assess new vulnerabilities that may have arisen since the last review and develop appropriate countermeasures. Have the human resources and legal departments determine any new regulatory or legal restrictions relevant to the security policy. Consider storing the security policy on an access-restricted Web site, and forward copies of revised policy documents to appropriate employees. Ensure appropriate controls are incorporated in the internal control process. Internal security audits should be conducted regularly. A detailed audit report should be discussed with, and any material deficiencies addressed by, an audit committee designated by senior management.


 Test the system. Check the disaster recovery procedures and consider running a mock shutdown, including restoring backup media to confirm that a restore process will work properly. Review appropriate insurance policies and update coverage and benefits as needed. Make sure employees have access only to information necessary for their function.


 Use the security policy as an opportunity to establish an ongoing security-training program. Everyone in the organization should understand his or her role in maintaining security for the company’s data and employees.


—By Ron Box, CPA/CITP/CFF, CISSP, ( CFO and CIO for Joe Money Machinery Co., based in Birmingham, Ala.


More from the JofA:


 Find us on Facebook      Follow us on Twitter



How to make the most of a negotiation

Negotiators are made, not born. In this sponsored report, we cover strategies and tactics to help you head into 2017 ready to take on business deals, salary discussions and more.


Will the Affordable Care Act be repealed?

The results of the 2016 presidential election are likely to have a big impact on federal tax policy in the coming years. Eddie Adkins, CPA, a partner in the Washington National Tax Office at Grant Thornton, discusses what parts of the ACA might survive the repeal of most of the law.


Deflecting clients’ requests for defense and indemnity

Client requests for defense and indemnity by the CPA firm are on the rise. Requests for such clauses are unnecessary and unfair, and, in some cases, are unenforceable.