Information Security Policy and Procedures
It is a requirement to have formal, documented, information security policies and procedures in support of many industry standards including PCI-DSS, SOX, and HIPPA. Moreover, it is best practice in businesses of all sizes to keep up-to-date information security policies and procedures – as well as ensure they are communicated and understood by all personnel. The information security policies and procedures, of course, need to be tailored to serve your business’s particular needs.
The goal of this post is to delineate a comprehensive list of topics to cover in a robust Information Security Policy. Consider including them in your company’s information security policy.
Topics:
- Overview & Purpose
- Scope
- Policy
- Roles and Responsibilities
- IT Leader / CIO – Information Security Officer
- Systems & Networking Administrator
- Software & Programming Engineers (Developers)
- Change Management / Change Control Personnel
- End Users
- Third-party Vendors / Contractors
- Roles and Responsibilities
- Information Security Awareness Solutions
- Defense-in-Depth
- Layered Security
- Cloud Computing Guidelines & Security
- Cyber Security
- Email Guidelines, Responsibilities & Acceptable Use
- CAN-SPAM ACT
- Internet Guidelines, Responsibilities & Acceptable Use
- Network Guidelines, Responsibilities & Acceptable Use
- Social Media Guidelines, Responsibilities & Acceptable Use
- Identity Theft
- Securing Your Home Network
- Online Security and Mobile Computing
- Shopping Online
- Other Security Awareness Considerations
- Helpful Security Resources
- Security Updates
- Workstation Security
- Laptop Security
- Software Licensing and Usage
- Internal vs. External Threats
- Clean Desk Policy
- Data and Confidential Information Classification
- Data Security Breaches
- Security Categorization
- Technology Asset Inventory
- Personally Identifiable Information (PII)
- Protected Health Information (PHI)
- Personally Identifiable Financial Information (PIFI)
- Physical and Environmental Security
- Personnel
- Security Awareness Training
- Provisioning and Hardening
- Time Synchronization – Network Time Protocol (NTP)
- Access Rights
- Least Privileged Model
- Methods of Authentication
- Password Requirements
- De-provisioning / Off-boarding Process
- Remote Access / VPN Access
- Wireless Security
- Malware & Viruses
- Change Control | Change Management
- Software Development Life Cycle (SDLC)
- Patch Management
- Vulnerability Management
- Configuration Management
- Vendor and Third-party Management
- Backup and Storage
- Encryption
- Security Event Monitoring
- Configuration and Change Monitoring
- Performance and Utilization Monitoring
- Security Incident Response & Reporting
- Logging and Reporting
- Data Retention and Disposal Requirements
- Performance and Security Testing
- Disaster Recovery
- Forms should include (for Users, Guests & Vendors)
- New or updated User Access
- Access revocation / off-boarding
- Employee Separation & HR Process
- Program / Systems Change Request
- Program / Systems Change Management Logging
- Remote Access Request
- Incident Response Instructions & Documentation
Effective information security policies and procedures should be written to be easily comprehended by IT Services Users. Explain topics specifically and spell out what is acceptable and what is unacceptable.
Soltis Associates is available to assist with your company’s information technology efforts including assessing the effectiveness of general controls, recommending security improvements, updating Information Security Policies & Procedures content as well as providing urgent assistance to address an actual or suspected security breach. Stay tuned for additional information technology-related discussions.
Create an account here to be notified of new posts. Comments are always welcome and shares appreciated.