Multi-dimensional enterprise-wide security: Due diligence

Learn how to protect information assets and resources within all areas of the enterprise and in compliance with all regulatory, policy and contractual requirements.

This tip is excerpted from Chapter 3 of The Definitive Guide to Security Inside the Perimeter, written by Rebecca Herold and published by Read the entire e-book for free.

In general, due diligence means providing demonstrated assurance that management is exercising adequate protection of corporate assets, such as information and compliance with legal and contractual obligations. This requirement is a powerful motivator to implement a training and awareness program. Key provisions of the United States Federal Sentencing Guidelines and 2004 amendments include establishing an effective compliance program and exercising due diligence in the prevention and detection of criminal conduct. Any organization with some type of compliance requirements and/or plans (basically all public entities given the Sarbanes-Oxley Act of 2002) is directly impacted by the guidelines. One way such due diligence is demonstrated is through an effective, executive-supported information security education program.

It is no longer good enough simply to write and publish information security and privacy policies and procedures. Organizational leaders must now have a good understanding of the policies and the program, support the program, and provide oversight of the program as reasonable for the organization. This new requirement reflects a significant shift in the responsibilities of compliance and ethics programs from positions such as the compliance officer and/or committee to the highest levels of management. The guidelines require that executive leaders support and participate in implementing the program. To do so, an effective ongoing information privacy, security and compliance education program must be in place.


  Protection strategies
  Risk assessment and analysis methodologies
  Define risks
  The goal of an information security policy
  Due diligence
  Corporate reputation
  Audit and validation
  Simplifying complexity
  Divide and conquer
  An action plan

Rebecca Herold is currently an information privacy, security and compliance consultant, author and instructor with her own company, Rebecca Herold, LLC. Rebecca has provided information security, privacy and regulatory services to organizations from a wide range of industries. She has over 15 years of information privacy, security and compliance experience. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the 1998 CSI Information Security Program of the Year Award.
This was last published in January 2006

Dig Deeper on Information security policies, procedures and guidelines