Tier-1 policies overview, part three: Corporate Communications, Work Place Security and Business Continuity Plan Policies

As we continue our look at Tier-1 policies, this third tip in a series examines three Tier-1 policies that are vitally important to the success of a corporate-wide Information Security program. The ability to protect information in all forms of correspondence, to protect employees in the workplace, and to be able to recover in the event of an emergency are all key elements in a successful Information Security program.

Corporate Communications – Instead of individual, top-specific policies on such items as voice-mail, e-mail, interoffice memos and outside correspondence, a single policy on what is and is not allowed in organization correspondence can be implemented. The Corporate Communications Policy supports the concepts established in the Employee Standards of Conduct, which address employee conduct, including harassment whether sexual, racial, religious or ethnic. The policy also discusses liable and slanderous content and the organization's position on such behavior.

• Read the first installment of Tom Peltier's Tier-1 policies overview.
• Read the second installment of Tom Peltier's Tier-1 policies overview.
• Listen to this on-demand webcast with policies guru Charles Cresson Wood on essential strategies for policy development.

The Corporate Communications Policy, typically owned by the Public Relations group, also addresses requests for information from outside the organization. This will include media requests, as well as the representation of the organization by speaking at or submitting white papers for various business-related conferences or societies.

Work Place Security – This policy addresses the need to provide employees with a safe and secure work environment. The need to implement sound security practices to protect employees, the organization's property and information assets is established here. Included in this policy are the basic security tenants of authorized access to the facility, visitor requirements, property removal and emergency response plans, including evacuation procedures.

Business Continuity Plans – For years this process was relegated to the Information Technology department and consisted mainly of the IT disaster recovery plan for the processing environment. The proper focus for this policy is the establishment of business unit procedures to support restoration of critical business process, applications and systems in the event of an outage.

The Business Continuity Plan Policy includes the following requirements for business units:

• Establish effective continuity plans
• Conduct business impact analysis for all applications, systems and business processes
• Identify preventive controls
• Coordinate the business unit BCP with the IT disaster recovery plan
• Test the plan, and train employees on the plan
• Maintain the plan to a current state of readiness

Thus, Business Continuity Planning establishes that each business unit and department has a responsibility to budget and develop contingency plans.

Next month, in the final installment of Tier-1 policies overview, we examine Procurement and Contracts, Records Management and Asset Classification Policies.

About the author
Tom Peltier has been an information security professional for more than twenty-five years. He has written books on information security policies and contributed to several books on CISSP preparation, and computer and data security.