Tier-1 policies overview, part four: Procurement and Contracts, Records Management and Asset Classification Policies

This final tip in our overview of corporate-level tier-1 policies addresses an area that is often overlooked in the Information Security program -- contract language. Our policies are written for our own employees. Any third party needing access to our information resources will be required to comply with our policies only if the contract they sign establishes that fact. The final two tier-1 policies complement each other and provide support for the Information Security Policy.

Procurement and Contracts – This policy establishes the way in which the organization conducts its business with outside firms. This policy addresses those items that must be included in any contract, including language that discusses the need for third parties to comply with the organization's policies, procedures and standards.

The Procurement and Contracts Policy is probably one of the most important for information security and other organization policies and standards. We can only write policies and establish standards and procedures for employees. All other third parties must be handled contractually. It is very important that the contract language reference any policies, standards and procedures that are deemed appropriate.

All too often I review policies that contain language that reads something like "the policy applies to all employees, contractors, consultants, per diem and other third parties." Just because this language appears in a policy does not make it effective. Third parties must be handled contractually. Work with the procurement group and legal staff to ensure that purchase or

To continue reading for free, register below or login

Requires Membership to View

To gain access to this and all member only content, please provide the following information (all fields required):

First Name:
Last Name:
Country: Select... Afghanistan Aland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory British Virgin Islands Brunei Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos (Keeling) Islands Colombia Comoros Congo Congo, Democratic Republic of Cook Islands Costa Rica Cote D'Ivoire Croatia Cuba Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia, The Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard and McDonald Islands Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati Korea, North Korea, South Kuwait Kyrgyzstan Laos Latvia Lebanon Lesotho Liberia Libya Liechtenstein Lithuania Luxembourg Macau Macedonia Madagascar Malawi Malaysia Maldives Mali Malta Man, Isle of Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands Netherlands Antilles New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestine Panama Panama Canal Zone Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Reunion Romania Russia Rwanda Saint Helena Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and the Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia and Montenegro Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard Swaziland Sweden Switzerland Syria Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu U.S. Minor Outlying Islands Uganda Ukraine United Arab Emirates United Kingdom United States Uruguay Uzbekistan Vanuatu Vatican City Venezuela Vietnam Virgin Islands Wallis and Futuna Islands Western Sahara Yemen Zambia Zimbabwe
Email Address:

I would like to receive a FREE subscription to Information Security magazine online.
YesNo

Do you manage, evaluate, recommend, implement, support or purchase security products, software or services?
YesNo

Please estimate the yearly security budget for your entire organization including all security products and services.
Please select... Over $10 Million $5 Million-$10 Million $1 Million-$4.9 Million $500,000-$999,999 $100,000-$499,999 $50,000-$99,999 $25,000-$49,999 $10,000-$24,999 Less than $10,000 None

What is your role in purchasing IT related products and services? (Check all that apply)
Technical decision maker
Financial decision maker
Recommend/Specify
Evaluate products
Implement Products/Services
Determine Needs
Create Security Strategy
None

By joining SearchSecurity.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

Records Management – Most organizations know that there will be a time when it will be necessary to destroy records. The Records Management policy establishes the standards for ensuring information is there as required by regulations and when it is time to properly dispose of the information. This policy normally establishes:

Asset Classification – This policy establishes the need to classify information, the classification categories and who is responsible for doing so. It normally includes the concepts of employee responsibilities such as the Owner, Custodian and User. The Asset Classification Policy is a companion policy to the Records Management Policy in that it adds the last two elements in information records identification. In addition to the four items identified in the Records Management policy, the Asset Classification policy adds:

Final thoughts

It will be necessary to work with the policy-owner organizations to get these concepts included in the corporate policies. While these ideas seem logical to those of us in information security, they will require selling to the other departments. Present your case based on business issues and how these updates help the organization meets its mission.

About the author
Tom Peltier has been an information security professional for more than twenty-five years. He has written books on information security policies and contributed to several books on CISSP preparation, and computer and data security.