Your business must have a viable information security policy if you use computers to process transactions that retain valuable or confidential information. Most businesses operate without one.
Having a formal plan to protect your organization's confidential information is a "no-brainer". Without one, you are documenting a lack of due diligence on your part. Persons who would file a lawsuit against you for the disclosure or loss of their confidential information would likely win in a court of law. You are setting yourself up for potential financial losses unless you have an information security policy and follow through upon it.
An information security policy is a set of rules or requirements that govern how your organization and its employees strive to manage its digital resources and assets in a safe manner. The reason for adopting controlling statements to protect digital assets is to provide a structure to assure the confidentiality, integrity and availability of data resources for decision-making.
Included in information security or data assurance policies would be statements that describe how a structured information asset inventory is conducted, a description of a comprehensive risk assessment program, a statement on how information assets are to be appropriately used, a description of how data encryption shall occur, an incident response plan, an outline of safe work practices, how the management of change should occur and a statement that outlines what forensic and business continuity plans and more.
A number of formal information security structures exist. Among the best known is ISO 17799 and its successors known as the ISO 27000 series. These guidelines and controls are proposed standards published by the International Standards Organization. Either would provide an excellent basis for security policies. There are others. Among them are FISMA (Federal Information Security Act) and COBIT (Control Objectives for Information and related Technology). The federal government uses the provisions of FISMA to meet the specific control requirements of the Act and COBIT outlines security best practices and has a more specific application in business and industry.
The most important component of an information security plan is that it be overtly established and/or published and that all employees who work with the information infrastructure are educated as to the provisions of the adopted security policy. Your organization may already be handling heavily regulated information such as EPHI (Electronic Protected Health Information) without your knowledge. Do you know what is a "covered entity" under the provisions of EPHI? Without specific knowledge of your status as a covered or uncovered entity you are also unaware if you are in compliance with the law.
Organizations must accept the responsibility of deploying critical information and network infrastructure in an asymmetric threat environment. Acknowledging such is the starting point for making information security a business process like safety, human resources, etc. In addition, providing for information security is a basic fiduciary responsibility of an organization that includes assuring the survival of the business or organization. Ignoring information security is being negligent and reckless in today's world.
You can learn more about how to secure your information assets at http://www.computer-security-glossary.org.
© Alliant Digital Services.
