|
|
|
Tips for Constructing Your InfoSec Policy
by L. Michael Guard
BIO AND CONTACT INFO
1. Gather what you already have written down in the way of information security procedures. For example, you may have language about information security in your online banking policy, in your H.R. policies, in your disaster recovery plan. Do a comprehensive review of existing policies to identify pieces that involve information security. Make up a master document that either includes all of them or that refers to all of them and describes where they can easily be retrieved from. Be sure you are consistent in your use of terms and definitions.
2. As you go through your existing information security procedures, take time to scrutinize them and update or make changes where necessary. Don't simply fold them into your master plan without subjecting them to a thorough review.
3. Identify information security procedures you may have in place that are not currently reduced to writing and document them. For example, you may have a firewall, but no written firewall policy. Sit down and document what the firewall is doing. (Note: Ideally, the policy should be used to configure the firewall and not the other way around.)
4. Conduct an inventory and risk assessment. Determine what information you have, in what form(s) it is stored, and follow the Guidelines for assessing risks and vulnerabilities. This information is a necessary prerequisite to formulating your policy/program.
5. In drafting your actual policy, avoid "guarantee" type language. No network is 100% secure. Don't give a plaintiff's attorney language he can hang you with later!
6. Steer clear of conclusions. (Example: "All customer information is secure.") They are not appropriate and can be dangerous.
7. Don't reinvent the wheel. There are many excellent examples of policies available to you. Read half a dozen of them before you even begin to draft your own. (See the main InfoSec Clearinghouse page for sources.) On the other hand, you should never simply take another institution's policy and adopt it as your own. Your policy must reflect your institution's unique circumstances. It is worthless unless it does. Use other policies to provide a starting point and to get ideas about approaches to take and language to use.
8. Get out the Guidelines themselves (the Interagency Guidelines for Safeguarding Customer Information) and go through them point by point to make sure you cover all the required bases.
9. Keep in mind that the policy should be written so that it is a directive to the bank management and employees from the board.
10. If no one within your institution has a sound working knowledge of managerial level technology and information security, enlist the help of a professional to assist you in formulating both your procedures and policy. It's not just a matter of compliance. You want your information security procedures to actually protect your information to the greatest extent possible.
First published on BankersOnline.com 7/23/01
Home | Compliance | Lending | Operations | Security | Marketing | Technology | eBanking
BOL Archives Privacy Policy Important Disclaimer Recommend This Site ! Contact Us
BankersOnline is a free service made possible by the generous support of our
advertisers and sponsors. Advertisers and sponsors are not responsible for site content. Please help us keep BankersOnline FREE to all
banking professionals. Support our advertisers and sponsors by clicking
through to learn more about their products and services.
|
|
|
Print Friendly!
Email This Article!
Discuss NOW!