Key To Your Information Security Training - Policies and Standards
The often repeated "Information Security isn't a destination, but a continuous journey," rings true for financial institution's information security professionals. What is taken along on any journey? A map showing where you've been and where you plan to go is usually needed, unless you want to wander aimlessly. In the case of the information security journey, that map is the institution's information security policies and standards.
So what do your information security policies look like? Do they sit on a shelf or exist only as an electronic document to be trotted out when the examiners arrive? The best information security policies are those that are used, reviewed and renewed and talked about on a regular basis. Your policies are the basis of your awareness and training program and reflect your institution's level of interest in information security.
There are resources out there for the chief information security officer to use to map out useful policy including "Information Security Governance: Guidance for Boards of Directors and Executive Management," 2nd Edition, published in 2006 by the IT Governance Institute.
The guidance includes actions that boards and executive management can take to ensure effective information security governance. It includes five positive outcomes of a successful information security program: information security is aligned with business strategy to support the business; risks are managed to reduce impacts on information; resources are managed by using information security knowledge and infrastructure effectively and efficiently; information security governance metrics are used to measure, monitor and report progress; information security investments deliver value to the business.
An institution's information security policy is the focal point for establishing and conveying security requirements. Your policy is THE tone for the information security practices within your institution, it defines the right behavior and is the platform for the security program. A consistently applied policy development framework will show how it exists to guide formulation, rollout, understanding and compliance.
Your institution's officers are responsible for establishing and enforcing a formal, written information security policy including standards, procedures, guidelines and rules of use.
A good set of policies show the importance of security within the institution, identifies what is being protected, identifies key risks and mechanisms for dealing with those risks and provides for ongoing and regular monitoring and feedback to ensure the polices are enacted and enforced. Regular, timely updates are needed to reflect changing business needs and practices. The policy enumerates the roles and responsibilities of all information systems users for protecting the confidentiality, availability and integrity of information assets. It must set out management's objectives and expectations for information security in clear, unambiguous terms, along with the implications of noncompliance.
It also demonstrates your management's commitment to information security. To guarantee ongoing applicability and relevance, the policy statement needs to be reviewed and updated on at least an annual basis. Not updating your policy may demonstrate a lack of management commitment to information security, (not a good thing) or the general lack of processes to manage organizational governance.
"The Information Security Governance: Guidance for Boards of Directors and Executive Management" is available for download at www.itgi.org .