jcohen66/cism_security_policy.txt

## cism_security_policy.txt
Writing Security Policies

https://www.cyberpilot.io/it-security-policy-downloada

Purpose
	- Provide a framework
    - Sets objectives for IT Security
    - Delegates responsibility
    - Creates guidelines and rules for employees to follow

Why Its Important
	- Sets expectations for handling of personal data
    - Helps to protect against data loss
    - Gives employees clear instructions on their responsibilities
    - Prevent costly regulatory fines

How To Write One
	- Purpose
    - Validity
    - Objectives
    - Organization and responsibilities
    - Waiver
    - Reporting
    - Violations

Purpose
	- Set the framework
    	- "The security policy defines the framework for the management of IT Security in organization X"

Validity
	- Who does it affect?
    - Is anyone exempt?
    	- "The security policy applies to all employees an X and the entire Access to X's information systems"

Objectives
	- What do we want to achieve?
    - Can have multiple objectives
    - Could be risk based approach
    	- "Org X uses a risk-based approach of protection and its cost must be based on the business risk and impact assessment that must be carried out annually as a minimum"
        - "X aims to comply with the relevant legislation, including the GDPR"

Organization And Responsibilities
	- Who is responsble
    - Clearly designate roles
    - Who will be accountable for the policy?
    - IT policy should mirror the IT Department reality
    - "The IT Department consults, soordinates, controls and reports on the status of security"
    - "The individual employee is responsible for complying with the IT Security policy and being informed of the IT usage policy"

Waiver
	- Exceptions for responsibilities
    - "Waivvers for X's IT security policy and guidelines are approved by the IT department based on the guidelines laid out by the executive board"


Reporting
	- Establishing reporting process is key to safety of data
    - Highlight areas of responsibilites
    - "The IT Department informs the executive board about all relevant security breaches"
    - "The status of waivers is included in the IT department's annual report to the executive board"
	- "The executive board reviews the security status annually and reports to the board of directors afterwards"

Violations
	- What happens when someone knowingly violates policy
    - Who should act on it
    - "Intentional violation and abouse are reported by the IT department to the HT department and the closest authority with lead responsibility"
	- "Violation of the IT security policy and supporting guidelines may result in employment law consequences"

Guidelines
	- Make sure everyone understands the policy
    - Conduct regular reviews and audits
    - Train your employees
    - Develop a culture of security
    - Talk openly about security
    - Make sure everyone feels comfortable to report security threats

Common Mistakes
	- No clear roles
    - Failing to explain processes
    - Forgetting to update policy
	Writing Security Policies

	https://www.cyberpilot.io/it-security-policy-downloada

	Purpose
	- Provide a framework
	- Sets objectives for IT Security
	- Delegates responsibility
	- Creates guidelines and rules for employees to follow

	Why Its Important
	- Sets expectations for handling of personal data
	- Helps to protect against data loss
	- Gives employees clear instructions on their responsibilities
	- Prevent costly regulatory fines

	How To Write One
	- Purpose
	- Validity
	- Objectives
	- Organization and responsibilities
	- Waiver
	- Reporting
	- Violations

	Purpose
	- Set the framework
	- "The security policy defines the framework for the management of IT Security in organization X"

	Validity
	- Who does it affect?
	- Is anyone exempt?
	- "The security policy applies to all employees an X and the entire Access to X's information systems"

	Objectives
	- What do we want to achieve?
	- Can have multiple objectives
	- Could be risk based approach
	- "Org X uses a risk-based approach of protection and its cost must be based on the business risk and impact assessment that must be carried out annually as a minimum"
	- "X aims to comply with the relevant legislation, including the GDPR"

	Organization And Responsibilities
	- Who is responsble
	- Clearly designate roles
	- Who will be accountable for the policy?
	- IT policy should mirror the IT Department reality
	- "The IT Department consults, soordinates, controls and reports on the status of security"
	- "The individual employee is responsible for complying with the IT Security policy and being informed of the IT usage policy"

	Waiver
	- Exceptions for responsibilities
	- "Waivvers for X's IT security policy and guidelines are approved by the IT department based on the guidelines laid out by the executive board"


	Reporting
	- Establishing reporting process is key to safety of data
	- Highlight areas of responsibilites
	- "The IT Department informs the executive board about all relevant security breaches"
	- "The status of waivers is included in the IT department's annual report to the executive board"
	- "The executive board reviews the security status annually and reports to the board of directors afterwards"

	Violations
	- What happens when someone knowingly violates policy
	- Who should act on it
	- "Intentional violation and abouse are reported by the IT department to the HT department and the closest authority with lead responsibility"
	- "Violation of the IT security policy and supporting guidelines may result in employment law consequences"

	Guidelines
	- Make sure everyone understands the policy
	- Conduct regular reviews and audits
	- Train your employees
	- Develop a culture of security
	- Talk openly about security
	- Make sure everyone feels comfortable to report security threats

	Common Mistakes
	- No clear roles
	- Failing to explain processes
	- Forgetting to update policy