Thursday, July 5, 2007

Information Security Policy 101 – Assess the Business

Let’s assume a couple of things; you have identified the need for information security policy and you have executive management endorsement. Now you are ready to start writing policy, but before we open Word and start typing away, we need more information. The policies we write need to be relevant to the business and provide value. Enter business assessment.

A good business assessment for our purposes will attempt to answer the following questions:

What types of information does the business use?

How does the business use information?

What is the law?

The order in which these questions are answered is not important. What is most important is how accurately we answer them. The answers to these questions will provide direction in identifying which policies we need and what they should say.

What types of information does the business use?
It is important to identify the types of information used by the business in order to design controls (policy is a control) that apply the right amount of protection to the right information.

Information security personnel rarely know the information types that every business unit within an organization uses so it is important at this stage to reach out to the business units. Information Security can reach out to the business units in a variety of ways; in-person interviews, questionnaires, creation of an Information Security Steering Committee staffed by personnel across the organization, etc. No single approach works best for all organizations.

IMPORTANT: Information security must reach out to the various business units.

The goal of the “What types of information does the business use?” answers is to identify what information is most sensitive to the organization. Information that is typically more sensitive in nature:

  • Personally Identifiable Information (PII) – Credit card numbers, social security numbers, authentication data, etc.
  • Personal Health Information (PHI) – typically that information which is addressed by the HIPAA Privacy Rule
  • Financial information – financial information that has not been released by the organization for public consumption
  • Intellectual Property (IP) – inventions, formulas, trade secrets, etc.
  • Other information that if disclosed, altered, or destroyed has the potential to cause significant harm to the organization.

Gathering the types of information used by the organization will give guidance as to what should be protected the most.

How does the business use information?
The determination of how the business uses (creates, accesses, stores, transmits, discards, etc.) information will provide information security personnel guidance as to how to write policy that does not interfere with business.

Information security personnel should constantly remind themselves that a business is in business to make money. If information security controls are designed that hinder the ability of a business to make money efficiently and expeditiously, and not reduced risk accordingly then the control has been designed a poorly. Policy is no exception.

The goal in determining how the business uses information is to determine where information creation, access, storage, transmission, and destruction should be authorized and where it should be prohibited. Again, communication with business units is critical.

What is the law?
There are an abundance of laws that pertain to information security. It is very important to understand how the various laws affect the information security program and policy.

Public companies have the Sarbanes-Oxley Act of 2002 (SOX), companies involved in health care have the Health Insurance Portability and Accountability Act (HIPAA), companies involved in financial transactions may have Payment Card Industry Data Security Standard (PCI), pharmaceutical companies may have FDA 21 CFR Part 11, and the list goes on and on.

Information security personnel should consult the legal department to determine what laws and regulations apply to ensure that written policy will be in compliance.

There is plenty of groundwork that needs to be laid before writing an effective policy. Armed with the information obtained thus far, we should be a good position to begin writing policies. Next we will take a look at the various policies that are common in many organizations to help you choose which are right for you.

Next in the series – “Information Security Policy 101 – Acceptable Use Policy”

Previous: "Information Security Policy 101 - Introduction to Information Security Policy"

No comments: