A security policy indicates senior management’s commitment to maintaining a secure network, which allows the IT Staff to do a more effective job of securing the company’s information assets. Ultimately, a security policy will reduce your risk of a damaging security incident.
A security policy can provide legal protection to your company. By specifying to your users exactly how they can and cannot use the network, how they should treat confidential information, and the proper use of encryption, you are reducing your liability and exposure in the event of an incident. Further, a security policy provides a written record of your company’s policies if there is ever a question about what is and is not an approved act.
Security policies are often required by third parties as part of their due diligence process. Some examples of these might be auditors, customers, partners, and investors. Companies that do business with your company, particularly those that will be sharing confidential data or connectivity to electronic systems, will be concerned about your security policy.
Lastly, one of the most common reasons why companies create security policies today is to fulfill regulations and standards that relate to security of digital information. A few of the more commonly encountered are:
- The PCI Data Security Standard (DSS)
- The Health Insurance Portability and Accountability Act (HIPAA)
- The Sarbanes-Oxley Act (SOX)
- Massachusetts 201 CMR 17.00
- The ISO family of security standards
- The Graham-Leach-Bliley Act (GLBA)
All these require, in some form, a written IT security policy.
For more information visit www.InstantSecurityPolicy.com
