Given the many threats organizations face in protecting critical information and processes, an information security policy is arguably one of the most important documents an organization can create. Consider these best practices for creating a new security policy and keeping an existing policy up to date.
Ensure that senior management will support the security policy. Bring senior management into the policy creation process early, and make sure the policies are designed to fulfill the business objectives of the organization. Set up a series of interview questions intended to provide a clear understanding of their position on security risk.
Consider using a security policy template or other authoritative guideline. This will provide the basic framework for the policy document and can be customized to address the needs of a specific organization. Good resources can be found at the ISO series (27001, 27002 or 27005 at iso.org); the National Institute of Standards and Technology (NIST) Publication 800-14 at tinyurl.com/23jst6; and ISACA’s Control Objectives for Information and related Technology (CoBIT) at isaca.org.
Include consequences for noncompliance. Work with the human resources and legal departments to include appropriate sanctions, which can include termination or prosecution.
Thoroughly review applicable laws. Ensure the security policy complies with the organization’s regulatory environment, including: FTC Red Flag Rules, Health Insurance Portability and Accountability Act (HIPAA) regulations on the release of medical information, the Gramm-Leach-Bliley Act, applicable state-specific laws, and e-discovery requirements.
Use clear and concise ideas to communicate the security policy. Use directive wording (must, will, etc.) and nontechnical terms that employees can understand. Policies should be written independent of specific operating systems or software applications.
Require a regular review process. This should be done at least annually by a team or officer designated by senior management to ensure the policy does not become obsolete. A clear process, called version control, should be designed to provide for how appropriate policy changes can be made, who will be responsible for approving changes, and the frequency with which this process should occur.
Review all internal controls for any appropriate modification, including all audit reports since the previous review. Assess new vulnerabilities that may have arisen since the last review and develop appropriate countermeasures. Have the human resources and legal departments determine any new regulatory or legal restrictions relevant to the security policy. Consider storing the security policy on an access-restricted Web site, and forward copies of revised policy documents to appropriate employees. Ensure appropriate controls are incorporated in the internal control process. Internal security audits should be conducted regularly. A detailed audit report should be discussed with, and any material deficiencies addressed by, an audit committee designated by senior management.
Test the system. Check the disaster recovery procedures and consider running a mock shutdown, including restoring backup media to confirm that a restore process will work properly. Review appropriate insurance policies and update coverage and benefits as needed. Make sure employees have access only to information necessary for their function.
Use the security policy as an opportunity to establish an ongoing security-training program. Everyone in the organization should understand his or her role in maintaining security for the company’s data and employees.
—By Ron Box, CPA/CITP/CFF, CISSP, (firstname.lastname@example.org) CFO and CIO for Joe Money Machinery Co., based in Birmingham, Ala.
More from the JofA: