2. Security policy (ISO)

Information security policy

The objective of this category is to provide management direction and support for information security in accordance with business requirements and all relevant laws, regulations and private certificatory requirements.

Information security policy document • One or more information security policy documents should be approved by management, and published and communicated to all employees and relevant external parties. Control includes:

• overall information security objectives and scope, including statement of management intent, supporting goals and principles of information security;
• listing of identified authorities and requirements that condition or control information security activities, including an explanation or listing of security policies, principles, standards and compliance requirements of importance to the organization;
• framework for setting control objectives and controls themselves, including a structure for risk assessment and risk management;
• definitions of general and specific responsibilities for information security management;
• references to documents that support or underpin the policy; and
• retention of all versions of the policy, and any associated documentation, for at least six years.

Authorities: ISO-27002:2005 5.1.1.; HIPAA 164.316(a-b); PCI-DSS:2005 12;

Notes: Six-year retention requirement derives from HIPAA 164.316(a)(2)(i).

Review of information security policies • The information security policy or policies should be reviewed at planned intervals, and when significant changes in the external environment occur, to ensure its continued suitability, adequacy and effectiveness. Control includes:

• solicitation and integration of feedback from all interested parties;
• independent, third-party reviews as appropriate;
• recommendations and requirements of relevant authorities;
• consideration of trends in threats and vulnerabilities, and available technologies for counter-measures and mitigations;
• consideration of trends in compliance requirements of federal, state, local and private certificatory authorities;
• consideration of trends in and anticipated changes to the organizational environment, business circumstances, and resource availability;
• historical data on information security incidents at the organization itself and at peer institutions;
• a formal record of the review(s) undertaken for plan development and refinement, and their outcomes; and
• retention of this record for at least six years.

Authorities: ISO-27002:2005 5.1.2.; HIPAA 164.308(a)(8); HIPAA 164.316(a-b); PCI-DSS:2005 12;

Notes: Six-year retention requirement derives from HIPAA 164.316(a)(2)(i).

Other security policy

This category aims to assure that other, non-information-directed security policies are congruent in intent and effect.

Coordination with other security policies • Other non-information security policy or policies should be reviewed at planned intervals, and when significant changes in the external environment occur, to ensure compatibility with information security efforts. Control includes:

• identification of all other relevant policies;
• inclusion of the representatives from the areas responsible for such policies in the periodic review of information security policy.

Authorities: ISO-27002:2005 5.1.2.

Article By http://privacy.med.miami.edu