This final tip in our overview of corporate-level tier-1 policies addresses an area that is often overlooked in the Information Security program -- contract language. Our policies are written for our own employees. Any third party needing access to our information resources will be required to comply with our policies only if the contract they sign establishes that fact. The final two tier-1 policies complement each other and provide support for the Information Security Policy.
Procurement and Contracts – This policy establishes the way in which the organization conducts its business with outside firms. This policy addresses those items that must be included in any contract, including language that discusses the need for third parties to comply with the organization's policies, procedures and standards.
The Procurement and Contracts Policy is probably one of the most important for information security and other organization policies and standards. We can only write policies and establish standards and procedures for employees. All other third parties must be handled contractually. It is very important that the contract language reference any policies, standards and procedures that are deemed appropriate.
MORE INFORMATION ON POLICIES:
- Read the first installment of Tom Peltier's Tier-1 policies overview, which covers Employment and Standards of Conduct Policies.
- In the second installment of Tom Peltier's Tier-1 policies overview, learn about Conflict-of-Interest, Performance Management, Employee Discipline and Information Security Policies.
- Tom Peltier examines Corporate Communications, Work Place Security and Business Continuity Plan Policies in the third installment of this series.
All too often I review policies that contain language that reads something like "the policy applies to all employees, contractors, consultants, per diem and other third parties." Just because this language appears in a policy does not make it effective. Third parties must be handled contractually. Work with the procurement group and legal staff to ensure that purchase orders and contracts have the necessary language. It would be wise to include a confidentiality or non-disclosure agreement.
Records Management – Most organizations know that there will be a time when it will be necessary to destroy records. The Records Management policy establishes the standards for ensuring information is there as required by regulations and when it is time to properly dispose of the information. This policy normally establishes:
- The record name
- A brief description of the record
- The owning department
- The required length of time to keep the record
Asset Classification – This policy establishes the need to classify information, the classification categories and who is responsible for doing so. It normally includes the concepts of employee responsibilities such as the Owner, Custodian and User. The Asset Classification Policy is a companion policy to the Records Management Policy in that it adds the last two elements in information records identification. In addition to the four items identified in the Records Management policy, the Asset Classification policy adds:
- The classification level
- The owner's job title
It will be necessary to work with the policy-owner organizations to get these concepts included in the corporate policies. While these ideas seem logical to those of us in information security, they will require selling to the other departments. Present your case based on business issues and how these updates help the organization meets its mission.
About the author
Tom Peltier has been an information security professional for more than twenty-five years. He has written books on information security policies and contributed to several books on CISSP preparation, and computer and data security.