The Vital Role Played by Information Security Management Policies and Standards

Information Security Management Policies and Standards are the key strategic management framework supporting commercially-reasonable information security management practices for organizations of all kinds.

An organization’s Information Security Management Policies and Standards serve to:

Establish management’s commitment to securing critical information assets
Establish uniform organizational standards for securing critical information assets
Provide guidance to managers and other employees as to their information security responsibilities, obligations and duties
Provide standards for use by IT personnel in securely configuring and maintaining the IT Infrastructure
Provide an information security baseline for establishing adequate protection of an organization’s intellectual property, trade secrets and other proprietary firm information
Be aspirational, providing actionable guidance to an organization as it evolves its own unique information security management program
Support the all-important objective of creating an information security-aware culture

Information Security Policies also meet emerging information security laws, regulations and contractual requirements for information security policies. Information security policies are required, for example, by the following:

Federal laws, such as HIPAA and Gramm-Leach-Bliley which require the protection of personal health and financial information
Payment Card Industry Data Security Standard requiring the protection of card information
California Civil Code 1798.81.5 requiring California business to implement reasonable information security measures to protect personal information belonging to California citizens
The Federal Trade Commission (FTC) security and privacy regulations
Breach disclosure laws in several states

Citadel’s Information Security Management Policies and Standards are based upon industry standard frameworks such as ISO 27001 and ISO 27002, the National Institute of Standards Information Security Management Framework, the Payment Card Industry’s Data Security Standard, as well as HIPAA HITECH, GLB and other applicable Federal and State laws and regulations.

Information Security Management Standards

Information Security Management Standards, in contrast to Policies, are designed to be specific actionable requirements to be implemented by management, users and IT. And, unlike policies which are obligatory, standards are aspirational.