Information Security Management Policies and Standards are the key strategic management framework supporting commercially-reasonable information security management practices for organizations of all kinds.
An organization’s Information Security Management Policies and Standards serve to:
- Establish management’s commitment to securing critical information assets
- Establish uniform organizational standards for securing critical information assets
- Provide guidance to managers and other employees as to their information security responsibilities, obligations and duties
- Provide standards for use by IT personnel in securely configuring and maintaining the IT Infrastructure
- Provide an information security baseline for establishing adequate protection of an organization’s intellectual property, trade secrets and other proprietary firm information
- Be aspirational, providing actionable guidance to an organization as it evolves its own unique information security management program
- Support the all-important objective of creating an information security-aware culture
Information Security Policies also meet emerging information security laws, regulations and contractual requirements for information security policies. Information security policies are required, for example, by the following:
- Federal laws, such as HIPAA and Gramm-Leach-Bliley which require the protection of personal health and financial information
- Payment Card Industry Data Security Standard requiring the protection of card information
- California Civil Code 1798.81.5 requiring California business to implement reasonable information security measures to protect personal information belonging to California citizens
- The Federal Trade Commission (FTC) security and privacy regulations
- Breach disclosure laws in several states
Citadel’s Information Security Management Policies and Standards are based upon industry standard frameworks such as ISO 27001 and ISO 27002, the National Institute of Standards Information Security Management Framework, the Payment Card Industry’s Data Security Standard, as well as HIPAA HITECH, GLB and other applicable Federal and State laws and regulations.
Information Security Management Standards
Information Security Management Standards, in contrast to Policies, are designed to be specific actionable requirements to be implemented by management, users and IT. And, unlike policies which are obligatory, standards are aspirational.
Contributed by Citadel Information Group
© Copyright 2017. Citadel Information Group. All Rights Reserved.