Your PC - Personal Security & Safeguards

Security Policies

When we are talking about more serious security, such as a business, a stronger approach to security is required.  This is also true for anyone in the healthcare or financial services industries where new Federal Regulations (HIPAA & GLBA) require strong security.  For most, the starting point for security is establishing your security policies. 

Even if this is not for you, being aware of the topics will help you better understand and assess your risks.

Typical Security Policy List For Business

The following is a typical set of required policies:

• Security Management - roles, risk analysis
• Security Audit - interface with internal audit

• Data Classification

• Systems and Network Management

• Security Configuration Management - change control

• Security Certification - systems, third parties, internal security staff

• Health Information Processing - including formal mechanism for processing records
• Software Control
• Intellectual Property
• Media Control
• Information Access Controls
• Physical Security
• Personnel Security - including termination
• Remote Access
• Telecommuting Security
• Third Party Access - business partners, ASPs
• Third Party Disclosure
• Malicious Software Control - virus, spyware
• Encryption
• Electronic Signature
• Network Communications
• Information Integrity
• Acceptable Use - General, Workstations, Email, Internet
• Vulnerability Management - patches, tracking vulnerabilities
• Threat Monitoring and Auditing - reporting incidents, IDS, audit log files
• Security Incident Management - response and recovery
• Contingency Planning - emergency mode, data backup and recovery, disaster recovery, business continuity

• Security Education - awareness, training

As with most things, security fails without proper education.  When enacting new security protocols, be sure that training and education are at the top of your list!