Security Policy:
Information Security Policy
The objective of this category is to provide management direction and support for information security in accordance with business requirements and all relevant laws, regulations and private certificatory requirements.
Information security policy document
One or more information security policy documents should be approved by management, and published and communicated to all employees and relevant external parties.
Control includes:
- Overall information security objectives and scope, including statement of management intent, supporting goals and principles of information security
- Listing of identified authorities and requirements that condition or control information security activities, including an explanation or listing of security policies, principles, standards and compliance requirements of importance to the organization
- Framework for setting control objectives and controls themselves, including a structure for risk assessment and risk management
- Definitions of general and specific responsibilities for information security management
- References to documents that support or underpin the policy
- Retention of all versions of the policy, and any associated documentation, for at least six years
HORSE FACTS: Six-year retention requirement derived from HIPAA 164.316(a)(2)(i).
Review of information security policies
The information security policy or policies should be reviewed at planned intervals, and when significant changes in the external environment occur, to ensure its continued suitability, adequacy and effectiveness.
Control includes:
- Solicitation and integration of feedback from all interested parties
- Independent, third-party reviews as appropriate
- Recommendations and requirements of relevant authorities
- Consideration of trends in threats and vulnerabilities, and available technologies for counter-measures and mitigations
- Consideration of trends in compliance requirements of federal, state, local and private certificatory authorities
- Consideration of trends in and anticipated changes to the organizational environment, business circumstances, and resource availability
- Historical data on information security incidents at the organization itself and at peer institutions
- A formal record of the review(s) undertaken for plan development and refinement, and their outcomes
- Retention of this record for at least six years
HORSE FACTS: Six-year retention requirement derived from HIPAA 164.316(a)(2)(i).
Other security policy
This category aims to assure that other, non-information-directed security policies are congruent in intent and effect.
Coordination with other security policies
Other non-information security policy or policies should be reviewed at planned intervals, and when significant changes in the external environment occur, to ensure compatibility with information security efforts.
Control includes:
- Identification of all other relevant policies
- Inclusion of the representatives from the areas responsible for such policies in the periodic review of information security policy
Information Security Policy Samples
ISO 17799 section 5.1 defines the information security policy objective "to provide management direction and support for information security in accordance with business requirements and relevant laws and regulations". Section 5.1.1 requires management to approve and publish an information security policy document. Section 5.1.2 requires the policy to be reviewed periodically or when significant changes occur.
This section of the wiki provides templates for an Information Security Program Charter and supporting policies that are required to comply with ISO Security Policy objectives.
- 1: Sample ISO Information Security Program Charter
- The Information Security Program Charter is required to comply with ISO Security Policy objectives and serves as the capstone document for the Information Security Program that empowers the Program to manage Information Security-related business risks.
- 2: Sample ISO Asset Identification and Classification Policy
- The Asset Identification and Classification Policy is required to comply with ISO Security Policy objectives and builds on the mission statement established in the Information Security Program Charter by defining objectives for establishing specific standards to properly classify and label information assets.
- 3: Sample ISO Asset Protection Policy
- The Asset Protection Policy is required to comply with ISO Security Policy objectives and builds on the mission statement established in the Information Security Program Charter by defining objectives for establishing specific standards to ensure the security, confidentiality, itegrity, and availability of information, as well as protect against threats or unauthorized access to such information.
- 4: Sample ISO Asset Management Policy
- The Asset Management Policy is required to comply with ISO Security Policy objectives and builds on the mission statement established in the Information Security Program Charter by defining objectives for managing the Information Technology infrastructure, including networks, systems, and applications that store, process and transmit sensitive information throughout the entire life cycle.
- 5: Sample ISO Acceptable Use Policy
- The Acceptable Use Policy is required to comply with ISO Security Policy objectives and builds on the mission statement established in the Information Security Program Charter by defining objectives for ensuring the appropriate business use of electronic communications resources.
- 6: Sample ISO Vulnerability Assessment and Management Policy
- The Vulnerability Assessment and Management Policy is required to comply with ISO Security Policy objectives and builds on the mission statement established in the Information Security Program Charter by defining objectives for ensuring vulnerabilty assessment activities are performed and vulnerabilities mitigation efforts are properly managed.
- 7: Sample ISO Threat Assessment and Monitoring Policy
- The Threat Assessment and Monitoring Policy is required to comply with ISO Security Policy objectives and builds on the mission statement established in the Information Security Program Charter by defining objectives for establishing specific standards to ensure periodic threat assessment and ongoing threat monitoring and incident response activities are performed.
- 8: Sample ISO Security Awareness Policy
- The Security Awareness Policy is required to comply with ISO Security Policy objectives and builds on the mission statement established in the Information Security Program Charter by defining objectives for ensuring that a formal Security Awareness Program is established, as well ensuring that Information Security objectives and requirements are properly communicated and understood.
References
ISO-27002:2005 5.1.1
HIPAA 164.316(a-b)
PCI-DSS:2005 12
ISO-27002:2005 5.1.2
HIPAA 164.308(a)(8)
HIPAA 164.316(a-b)
PCI-DSS:2005 12
ISO-27002:2005 5.1.2
See Also
- ISO 17799/27002 - Code of Practice for Information Security Management