Information security policies, standards, procedures, and plans exist for one reason – to protect the organization and, by extension, its constituents from harm. The lesson of the Information Security Policy domain is threefold:
- Information security directives should be codified in a written policy document.
- It is important that management participate in policy development and visibly support the policy.
- Information security should be strategically aligned with business requirements and relevant laws and regulations.
Internationally recognized security standards such as the ISO 27002:2013 can provide a framework, but ultimately each organization must construct its own security strategy and policy, taking into consideration organizational objectives and regulatory requirements.
What is meant by Strategic Alignment?
The two approaches to information security are parallel and integrated.
A parallel approach:
- Silos information security;
- Assigns responsibility for being secure to the IT department;
- Views compliance as discretionary; and
- Has little or no organizational accountability.
An integrated approach recognizes that security and success are intertwined.
When strategically aligned, security functions as a business enabler that adds value. Security is an expected topic of discussion among decision makers, and is given the same level of respect as other fundamental drivers and influencing elements of the business.
This doesn’t happen magically. It requires leadership that recognizes the value of information security, invests in people and processes, encourages discussion and debate, and treats security in the same fashion as every other business requirement. It also requires that information security professionals recognize that the true value of information security is protecting the business from harm and achieving organizational objectives. Visible management support coupled with written policy formalizes and communicates the organizational commitment to information security.
Learn more in our Blog Series, Creating a Cybersecurity Culture.
Information Security Policy Regulatory Requirements
In an effort to protect the citizens of the United States, legislators recognized the importance of written information security policies. The following all require covered entities to have written policies and procedures in place that protect their information assets, and that they are reviewed on a regular basis:
- Gramm-Leach-Bliley Act (GLBA);
- Health Insurance Portability and Accountability Act (HIPAA);
- Sarbanes-Oxley (SOX);
- Family Education Right and Privacy Act (FERPA); and
- Federal Information Systems Management Act (FISMA).
Many organizations find that they are subject to more than one set of regulations. For example, publicly traded banks are subject to both GLBA and SOX requirements, whereas medical billing companies find themselves subject to both HIPAA and GLBA. Organizations that try to write their policies to match federal regulations find the task daunting. Fortunately, the regulations published to date have enough in common that a well-written set of information security policies based on a framework such as the ISO 27002:2013 can be mapped to multiple regulatory requirements. Policy administrative notations will often include cross-reference to specific regulatory requirements.
Recently, in response to the ever-growing threat of cyber-attacks, the New York State Department of Financial Services enacted 23 NYCRR 500. This first-of-its-kind cybersecurity regulation, requires NYS Financial Services Companies to develop a robust risk-based cybersecurity program that protects the confidentiality, integrity, and availability of nonpublic data.
Learn more in Complying with the 23 NYCRR 500 Cybersecurity Regulation.
User Versions of Information Security Policies
Information security policies are governance statements written with the intent of directing the organization. Correctly written policies can also be used as teaching documents that influence behavior.
An Acceptable Use Policy document and corresponding agreement should be developed specifically for distribution to the user community. The Acceptable Use Policy should include only pertinent information and, as appropriate, explanations and examples. The accompanying agreement requires users to acknowledge that they understand their responsibilities and affirm their individual commitment.
Vendor Versions of Information Security Policies
It’s common for companies to outsource work, but never the responsibility or liability. Vendor or business partners (often referred to as “third parties”) that store, process, transmit, or access information assets should be required to have controls that meet or, in some cases, exceed organizational requirements.
One way to evaluate vendor security is to provide them with a vendor version of the organizational security policies and require them to attest to their compliance. The vendor version should only contain policies that are applicable to third parties, and should be sanitized as to not disclose any confidential information.
Since the hugely-publicized Target breach of 2013, the importance of understanding the cybersecurity environment of your business’ third-party vendors has grown. This breach served, in part, as a catalyst for new requirements and best practices. For example, in 2015, the Federal Financial Institutions Examination Council (FFIEC) updated their Business Continuity Booklet, which is one in the series of booklets that comprise the larger Information Technology (IT) Examination Handbook, to include Appendix J: Strengthening the Resilience of Outsourced Technology Services.
As external dependencies continue to grow, setting up and maintaining an effective cybersecurity review program of your third-parties is important. Learn more in Creating a Vendor Management Program to Mitigate Cybersecurity Risk.
Client Synopsis of Information Security Policies
In this context, client refers to companies to which the organization provides services. A synopsis of the information security policy should be available upon request to clients. As applicable to the client base, the synopsis could be expanded to incorporate incident response and business continuity procedures, notifications, and regulatory cross-references. The synopsis should not disclose confidential business information unless the recipients are required to sign a non-disclosure agreement.
Building a Foundation for Cyber Resilience
An Information Security Policy provides the foundation for a successful Program to protect your information, prepare for and adapt to changing threat conditions, and withstand and recover rapidly from disruptions. Tyler can help with the development of your policy – or even assess your current one. Our methodology is collaborative in nature, and we work with your management and staff to incorporate existing documents and practices, as well as, develop new Policies, Standards, and Agreements where necessary.
Note: This article is an excerpt from Security Program and Policies: Principles and Practices (2nd Edition) by Sari Greene.