By Harris Weisman
Prior to the Enron and MCI/WorldCom debacles, corporate management and boards of directors paid little attention to IT security policies. That's changed with the passage of SOX and the potential of fines and jail time for companies and their executives if there's a violation.
SOX is intended for publicly traded companies and focuses on the accuracy of financial reporting. Section 404 looks at information systems and the controls around them; failure to have an IT security policy and policy management are considered exceptions, causing problems for the company. There really aren't any must-have policies for SOX compliance -- auditors are looking for a strong overall information security program and policies, plus in-place monitoring of users and systems for compliance.
In addition to SOX, HIPAA and GLBA are other legislation that impact security policies. Both require keeping data private: HIPAA with regards to healthcare information, and GLBA with regards to financial data. Companies involved with either financial or healthcare information must develop, deploy, monitor and manage policies that govern how data is stored and transmitted. These policies can affect the entire IT infrastructure of an organization from firewall configuration to the data stored on workstations.
HIPAA and GLBA auditors will look for a solid data classification policy, or a policy that describes what types of data are used within the organization and how they are classified for privacy and security. Policies describing cryptography and cryptographic standards for the storage and transmission of sensitive data need to be outlined and deployed. Overall, auditors look for policies and procedures/guidelines that outline your data classification program and describe how that program will protect data within the organization.