Home / Resource Center / Blog / Got Security Policy Part 3 Basic Policy

Got Security Policy? Part 3: Basic Policy

Brad Curtis

Brad Curtis    |    July 23, 2010

Implement, Communicate, Update, and Enforce Your Policy

My last post described how to develop a Security Policy from scratch. Some organizations may have a very basic policy in-place but do not communicate, update, or enforce the policy. This post provides some high-level direction on how you can get started.

Note: Most industry standards and regulations (e.g., PCI, SAS-70, GLBA, HIPAA, SOX, etc.), require you have, at a minimum, a written Security Policy that is communicated to employees, contractors, etc.

You do not need a committee to get started on implementing your policy. However, I would suggest a few very important administrative assurances before rolling it out:

  • Technical Writer – have a tech writer develop, or at least, edit the policy
  • HR Review – have HR review the policy to ensure it doesn’t conflict with your corporate culture or invoke an unnecessary burden to the company
  • Legal Review – if an option, you should have a legal firm review the policy to ensure it is in line with local, state, and federal laws and regulations.

Implement

Once you have a Security Policy (albeit in many cases very basic), you can quickly take a step closer to compliance by implementing a few basic principals:

  1. Require all new employees to read your Security Policy (or all employees if you are starting from scratch with a policy for the first time)
  2. Notify employees of changes you make to the policy
  3. State the disciplinary actions, which may result from non-compliance

Update

You should review the policy at least on an annual basis to ensure it is still valid, accurate, and applicable. You will always find there’s information missing or it is outdated.

Communicate

When you do make changes to the policy, ensure you communicate those changes via e-mails or the company Intranet. This will reduce the cycles involved with HR when employee’s question why policy has changed and they were not informed.

Enforce

Train employees on the importance of following the policy and the ramifications for not following it. Require employees to report any instances of non-compliance or incidents to your security officer, HR representative, or executive.

If you implement these basic principals, you are well on your way to having a solid Security Policy and program. Up next, I’ll discuss how you can take implementing your Security Policy to the next level and get you one step closer to a solid security program.

 

POST A COMMENT

Name
Email
Comment
<< All Entries

Solutionary is a leading managed security service provider. The company reduces the information security and compliance burden, providing flexible security services that work the way clients want; enhancing existing initiatives, infrastructure and personnel. This blog is a place to learn about, and discuss, a wide variety of security and compliance topics.

LATEST TWEETS