This article can also be found in the Premium Editorial Download "Information Security magazine: Is your data safe from next-generation attackers?."
Download it now to read this article plus other related content.
|Policies & Regulatory Compliance|
Prior to the Enron and MCI/WorldCom debacles, corporate management and boards of directors paid little attention to IT security policies. That's changed with the passage of SOX and the potential of fines and jail time for companies and their executives if there's a violation.
SOX is intended for publicly traded companies and focuses on the accuracy of financial reporting. Section 404 looks at information systems and the controls around them; failure to have an IT security policy and policy management are considered exceptions, causing problems for the company. There really aren't any must-have policies for SOX compliance--auditors are looking for a strong overall information security program and policies, plus in-place monitoring of users and systems for compliance.
In addition to SOX, HIPAA and GLBA are other legislation that impact security policies. Both require keeping data private: HIPAA with regards to healthcare information, and GLBA with regards to financial data. Companies involved with either financial or healthcare information must develop, deploy, monitor and manage policies that govern how data is stored and transmitted. These policies can affect the entire IT infrastructure of an organization from firewall configuration to the data stored on workstations.
HIPAA and GLBA auditors will look for a solid data classification policy, or a policy that describes what types of data are used within the organization and how they are classified for privacy and security. Policies describing cryptography and cryptographic standards for the storage and transmission of sensitive data need to be outlined and deployed. Overall, auditors look for policies and procedures/guidelines that outline your data classification program and describe how that program will protect data within the organization.
Once policies are established, you need to figure out how to use them to best manage your enterprise's information security posture. (Everyone has a different definition of policy management. For our purposes, policy management is the conversion of policies into practical and enforceable controls that can be implemented across the enterprise.)
To have an effective policy management solution, several key support mechanisms must be in place:
- Employees must be subject to a communication and training program. Staff members cannot be expected to comply with policies if they don't understand them; training also provides a way for them to provide feedback on what is and isn't working.
- Management must enforce the policies in a consistent manner across the enterprise; otherwise, employees will not take the policies seriously. Work with your human resources department on how to handle enforcement. At the very least, HR should always be informed when enforcement issues arise.
- Metrics must be developed to measure policy effectiveness. Measuring metrics can be tricky, particularly in the security space (after all, if there's no breach, you have done your job properly). Metrics can examine how many users are being blocked from inappropriate Web sites, the number of viruses blocked in a given time period and the overall strength of user passwords.
- Implement a maintenance schedule to ensure that policies are reviewed and updated on a regular basis. Most regulators like to see this happen on a yearly basis.
This was first published in June 2006