Data Center Hub

Who needs IT security policies and what types of organizations must comply?
Regardless of the size of your company, you should have an IT security policy in place. Even if you’ve not put one in writing yet, you have a policy already. In most small companies the policy is an island approach where every individual is left to his or her own devices and while this has worked well in the past, it must change in the future. In the past, with the exception of burning down your offices, damage from a single employee’s actions would usually be limited to their own files and sphere of influence. Today, the actions of one can affect your entire IT structure and wreak havoc and even destruction or disclosure of your data. Running your business without a policy in place is akin to setting sail in a boat with no rudder. The winds may carry you safely somewhere, or smash you into the rocks at any time. At a minimum the security policy should act as a guide for your business. If you have more than one employee, you should have a policy in place. For companies with up to 200 employees, the ISO 17799 standards allow management to have a better awareness of IT security and for larger organizations, the standards should allow the creation of a mature and compatible IT security culture within the company.

What organizations are required by US law to have IT security policies? The short answer is all public companies and virtually all companies in the health care business who handle electronic patient data.
The Sarbanes Oxley Act (SOx) section 404 requires public companies to document their IT and financial controls as well as issuing an annual statement of the effectiveness of the controls. Whether your company is large or small, if you make periodic filings under section 13 (a) or 15 (d) of the Exchange act, you’ll need to comply with SOx.

HIPAA Subpart C Section 164.306 (c) requires covered entities to apply specific security standards regarding all protected health information.

How does one implement a policy and what standards are involved?

Of course, you can go the the ISO web site, purchase a copy of the ISO 17799:2005 standard in PDF, and write your own policies from scratch. Or you can start based on templates created by others.

One of the simplest ways to get started is by evaluating a sample policy based on ISO 17799. There are two easy ways to do this. One is to purchase a commercially available template system, and the other is by using Open Source documents as a starting point for your policies. The Lazarus Alliance started a wiki for this purpose about a year ago and while it’s a work in progress, reviewing the ISO 17799 documentation in the wiki should give you a good start towards ISO 17799. Bear in mind that the wiki is a work in progress and may not offer a policy as comprehensive as a commercially offered set of templates.

For commercial templates, there are quite a few revealed with a simple search on Google. The majority of those in the top results appear to be from the same creators with similar descriptions and pricing. The hype of this creator lends me to have a jaundice eye towards the product (for example they claim Patriot Act compliance- unless you are an ISP, you need not worry about this act. Having said this please note I am not an attorney). I personally would demand a review period to evaluate the quality prior to committing money to the e-janco templates. Another sample template system is available for a free review in PDF format from RUSECURE. Having reviewed this template, I can opine on the quality and thoroughness of the policies in their templates. At half the price of the Janco templates and with a seven day money back guarantee it would be hard to go wrong with this template set.

You may also consider buying a software solution to generate your security policies. One such solution is produced by Callio though you will find many others on the market for a DIY approach.

Another option is to hire a consultant to do all the steps for you. In most cases, the consultant will likely start with a software toolkit or templates and customize them as needed for your business. This is by far the easiest way to get a policy in place but do remember to do your due-diligence on the consultant and inquire as to his background, qualifications, and real-world experience prior to hiring. A good consultant should also be able to provide a clear detailed proposal covering costs and milestones prior to beginning work. One last bit of advice: never pay the full consultant fee in advance. My experience from both sides of the table indicates structured payments based on milestones with a final payment upon full deliverables works best for all concerned.