All of the posts that I have read concerning Information Security Policies seem to have a common theme - everyone has struggled with it. Would it be out of line to suggest that we post some examples of what we have put in our policies? I realize that everyone has had to assess their risk and design their program to fit their institution but it may be beneficial to share some ideas.

I would love to see examples of policies. I am new in the compliance area and am struggling to figure out where the responsibility for this policy lies - compliance, audit, DP, Operations, Security? -the previous compliance officer was quite excited about a privacy policy, but ignored information security.

We got the framework for our Privacy Policy from the Traic Group - http://www.triacnet.com

We modified it to fit our Bank and made references to our various policies and procedures manuals that go into the details of information security. We also incorporated a listing of all manuals that deal with information security in one form or another along with the department that is responsible for maintaining the manual.

The ISP itself gives a broad overview of the Privacy Regulations including our bank's privacy policy, how and when notices are given, and then reviews the basic risks/threats to information security and a basic response to those threats.

Since the ISP must be approved by the Board, we did not want to put detailed procedures in it because we would not have the flexibility of changing those procedures without going through a formal board approval.