The means by which these principles are applied to an organization take the form of a security policy. This isn't a piece of security hardware or software; rather, it's a document that an enterprise draws up, based on its own specific needs and quirks, to establish what data needs to be protected and in what ways. These policies guide the organization's decisions around procuring cybersecurity tools, and also mandate employee behavior and responsibilities.
Among other things, your company's information security policy should include:
- A statement describing the purpose of the infosec program and your overall objectives
- Definitions of key terms used in the document to ensure shared understanding
- An access control policy, determining who has access to what data and how they can establish their rights
- A password policy
- A data support and operations plan to ensure that data is always available to those who need it
- Employee roles and responsibilities when it comes to safeguarding data, including who is ultimately responsible for information security
One important thing to keep in mind is that, in a world where many companies outsource some computer services or store data in the cloud, your security policy needs to cover more than just the assets you own. You need to know how you'll deal with everything from personally identifying information stored on AWS instances to third-party contractors who need to be able to authenticate to access sensitive corporate info.
No comments:
Post a Comment