
	Home > Security Tips > Compliance Counselor > Sharing the responsibility of developing policies

Security Tips:

EMAIL THIS

TIPS & NEWSLETTERS TOPICS

COMPLIANCE COUNSELOR

Sharing the responsibility of developing policies

Thomas R. Peltier, CISSP
06.29.2004
Rating: -4.60- (out of 5)

Digg This!

StumbleUpon

Del.icio.us

As security professionals we often view the overall objective of an information security program is to protect the integrity, confidentiality and availability of information. While this is true from a security perspective, it is not the organization's objective. Information is an asset and must be shared throughout the organization with those that have a business need for access. Furthermore, information is an asset of the entire enterprise and all employees are responsible for protecting it.

An information protection program should be part of any organization's overall asset protection program. The information protection program is a business function that provides management with the processes needed to perform their fiduciary duty. That is, management is charged with a trust to ensure that adequate controls are in place to protect the assets of the enterprise. An information security program that includes policies, standards and procedures ensures that management can demonstrate this standard of due care.

There are at least twelve organization-wide (Tier-1) policies and each should include reference to information security. As information security professionals, it is our responsibility to implement policies that reflect the business and mission needs of the enterprise. While it is not our sole responsibility to develop policies, it is our responsibility to work with the other business units to ensure that the enterprise-wide responsibility to protect information resources is included in all phases of the business process. In the chart below I've indicated the primary department responsible for developing each of the Tier-1 Policies, as well as the link to more information about each policy.

Tier-1 Corporate Policy	Responsible Department
Employment Practices	Human Resources
Employee Standards of Conduct	Human Resources
Conflict of Interest	Auditing
Performance Management	Human Resources
Employee Discipline	Human Resources
Information Security	Information Security
Corporate Communications	Corporate Communications – Public Relations
Procurement and Contracts	Purchasing
Records Management	Records Retention
Asset Classification	Information Security
Work Place Security	Physical Security
Business Continuity Planning	Facilities Management

Rate this Tip
To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member.

BROWSE BY TAG

Compliance Counselor, Information Security Management, Information Security Policies, Procedures and Guidelines, VIEW ALL TAGS

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Compliance Counselor
	Identity lifecycle management for security and compliance
	Interpreting 'risk' in the Massachusetts data protection law
	FTC Red Flags Rules: How to create an identity theft prevention plan
	Creating a HIPAA employee training program
	Data protection tips for corporate compliance leaders
	PCI DSS compliance requirements: Ensuring data integrity
	Understanding PCI DSS compliance requirements for log management
	Are 'strong authentication' methods strong enough for compliance?
	Strategies for using technology to enable automated compliance
	Common PCI questions: Web application firewalls or source code review?

Information Security Policies, Procedures and Guidelines

Health Net breach failure of security policy, technology

How to protect distributed information flows

Essential guide: Pandemic planning for H1N1

Whitelists, SaaS modify traditional security, tackle flaws

Melissa Hathaway urges more cooperation, government attention to cybersecurity

Reuters: Obama ready to select cyber security czar

How a corporate Twitter policy can combat social network threats

Should enterprises be concerned with Twitter in the workplace?

Information security management hype: Debunking best practices

Data breach avoidance begins with security basics, panel says

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

defense in depth (SearchSecurity.com)

non-disclosure agreement (SearchSecurity.com)

security policy (SearchSecurity.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

Research Solutions for Network Security, Access Control and Security Threats

View this month\\'s issue and subscribe today.

Apply online for free conference admission.

SEARCH :

Site Index

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.


TechTarget Corporate Web Site \| Media Kits \| Site Map All Rights Reserved, Copyright 2003 - 2009, TechTarget \| Read our Privacy Policy