Skip to content
Thread Options
#12050 - 05/31/01 12:11 PM Information Security Policy Sharing
thomasj Offline
Power Poster
Joined: Mar 2001
Posts: 5,063
All of the posts that I have read concerning Information Security Policies seem to have a common theme - everyone has struggled with it. Would it be out of line to suggest that we post some examples of what we have put in our policies? I realize that everyone has had to assess their risk and design their program to fit their institution but it may be beneficial to share some ideas.
Knowledge is knowing what to say. Wisdom is knowing when to say it.

Return to Top
Security - PUBLIC
#12051 - 05/31/01 02:15 PM Re: Information Security Policy Sharing
Bville Offline
Diamond Poster
Joined: May 2001
Posts: 1,282
Out West
I would love to see examples of policies. I am new in the compliance area and am struggling to figure out where the responsibility for this policy lies - compliance, audit, DP, Operations, Security? -the previous compliance officer was quite excited about a privacy policy, but ignored information security.

Return to Top
#12052 - 05/31/01 05:13 PM Re: Information Security Policy Sharing
Princess Romeo Offline

Power Poster
Princess Romeo
Joined: Jun 2001
Posts: 8,272
Where the heart is
We got the framework for our Privacy Policy from the Traic Group -

We modified it to fit our Bank and made references to our various policies and procedures manuals that go into the details of information security. We also incorporated a listing of all manuals that deal with information security in one form or another along with the department that is responsible for maintaining the manual.

The ISP itself gives a broad overview of the Privacy Regulations including our bank's privacy policy, how and when notices are given, and then reviews the basic risks/threats to information security and a basic response to those threats.

Since the ISP must be approved by the Board, we did not want to put detailed procedures in it because we would not have the flexibility of changing those procedures without going through a formal board approval.

Regulations are a poor substitute for ethics.
Just sayin'

Return to Top

Moderator:  Andy_Z