Given the many threats organizations face in protecting critical information and processes, an information security policy is arguably one of the most important documents an organization can create. Consider these best practices for creating a new security policy and keeping an existing policy up to date.
Ensure
that senior management will support the security policy.
Bring
senior management into the policy creation process early, and make
sure the policies are designed to fulfill the business objectives of
the organization. Set up a series of interview questions intended to
provide a clear understanding of their position on security risk.
Consider
using a security policy template or other authoritative
guideline.
This
will provide the basic framework for the policy document and can be
customized to address the needs of a specific organization. Good
resources can be found at the ISO series (27001, 27002 or 27005 at
iso.org); the National Institute of
Standards and Technology (NIST) Publication 800-14 at tinyurl.com/23jst6; and ISACA’s
Control Objectives for Information and related Technology (CoBIT) at
isaca.org.
Include
consequences for noncompliance.
Work
with the human resources and legal departments to include
appropriate sanctions, which can include termination or prosecution.
Thoroughly
review applicable laws.
Ensure
the security policy complies with the organization’s regulatory
environment, including: FTC Red Flag Rules, Health Insurance
Portability and Accountability Act (HIPAA) regulations on the
release of medical information, the Gramm-Leach-Bliley Act,
applicable state-specific laws, and e-discovery requirements.
Use
clear and concise ideas to communicate the security policy.
Use
directive wording (must, will, etc.) and nontechnical terms that
employees can understand. Policies should be written independent of
specific operating systems or software applications.
Require
a regular review process.
This
should be done at least annually by a team or officer designated by
senior management to ensure the policy does not become obsolete. A
clear process, called version control, should be designed to provide
for how appropriate policy changes can be made, who will be
responsible for approving changes, and the frequency with which this
process should occur.
Review
all internal controls for any appropriate modification,
including all audit reports since the previous review.
Assess
new vulnerabilities that may have arisen since the last review and
develop appropriate countermeasures. Have the human resources and
legal departments determine any new regulatory or legal restrictions
relevant to the security policy. Consider storing the security
policy on an access-restricted Web site, and forward copies of
revised policy documents to appropriate employees. Ensure
appropriate controls are incorporated in the internal control
process. Internal security audits should be conducted regularly. A
detailed audit report should be discussed with, and any material
deficiencies addressed by, an audit committee designated by senior management.
Test
the system.
Check
the disaster recovery procedures and consider running a mock
shutdown, including restoring backup media to confirm that a restore
process will work properly. Review appropriate insurance policies
and update coverage and benefits as needed. Make sure employees have
access only to information necessary for their function.
Use
the security policy as an opportunity to establish an ongoing
security-training program.
Everyone
in the organization should understand his or her role in maintaining
security for the company’s data and employees.
—By Ron Box, CPA/CITP/CFF, CISSP, (rbox@joemoney.com) CFO and CIO for Joe Money Machinery Co., based in Birmingham, Ala.
More from the JofA:
Find us on Facebook
| 
Follow us on Twitter
