Last active
July 26, 2024 23:29
-
-
Save jcohen66/f66d05f8608779423f4c182162a193cc to your computer and use it in GitHub Desktop.
CISM IT Security Policy #cism #security #policy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Writing Security Policies | |
https://www.cyberpilot.io/it-security-policy-downloada | |
Purpose | |
- Provide a framework | |
- Sets objectives for IT Security | |
- Delegates responsibility | |
- Creates guidelines and rules for employees to follow | |
Why Its Important | |
- Sets expectations for handling of personal data | |
- Helps to protect against data loss | |
- Gives employees clear instructions on their responsibilities | |
- Prevent costly regulatory fines | |
How To Write One | |
- Purpose | |
- Validity | |
- Objectives | |
- Organization and responsibilities | |
- Waiver | |
- Reporting | |
- Violations | |
Purpose | |
- Set the framework | |
- "The security policy defines the framework for the management of IT Security in organization X" | |
Validity | |
- Who does it affect? | |
- Is anyone exempt? | |
- "The security policy applies to all employees an X and the entire Access to X's information systems" | |
Objectives | |
- What do we want to achieve? | |
- Can have multiple objectives | |
- Could be risk based approach | |
- "Org X uses a risk-based approach of protection and its cost must be based on the business risk and impact assessment that must be carried out annually as a minimum" | |
- "X aims to comply with the relevant legislation, including the GDPR" | |
Organization And Responsibilities | |
- Who is responsble | |
- Clearly designate roles | |
- Who will be accountable for the policy? | |
- IT policy should mirror the IT Department reality | |
- "The IT Department consults, soordinates, controls and reports on the status of security" | |
- "The individual employee is responsible for complying with the IT Security policy and being informed of the IT usage policy" | |
Waiver | |
- Exceptions for responsibilities | |
- "Waivvers for X's IT security policy and guidelines are approved by the IT department based on the guidelines laid out by the executive board" | |
Reporting | |
- Establishing reporting process is key to safety of data | |
- Highlight areas of responsibilites | |
- "The IT Department informs the executive board about all relevant security breaches" | |
- "The status of waivers is included in the IT department's annual report to the executive board" | |
- "The executive board reviews the security status annually and reports to the board of directors afterwards" | |
Violations | |
- What happens when someone knowingly violates policy | |
- Who should act on it | |
- "Intentional violation and abouse are reported by the IT department to the HT department and the closest authority with lead responsibility" | |
- "Violation of the IT security policy and supporting guidelines may result in employment law consequences" | |
Guidelines | |
- Make sure everyone understands the policy | |
- Conduct regular reviews and audits | |
- Train your employees | |
- Develop a culture of security | |
- Talk openly about security | |
- Make sure everyone feels comfortable to report security threats | |
Common Mistakes | |
- No clear roles | |
- Failing to explain processes | |
- Forgetting to update policy | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment