Operational Policy
At its core, Information Security Policies are a reference of instructions for employees to follow in varying scenarios and cover topics from Laws and Regulations to how often one must change their password. The development of these policies can be driven as a result of post Risk Assessments, the implementation of a new information system, or as part of new laws and regulations citing the need for their existence. The mere creation of these policies does not ensure a company is safe and immune from attacks. Without proper implementation and enforcement, they are nothing more than a metaphorical paper weight. As these policies not only strive to protect the company but the employees as well, it is important that they are written and implanted in such a way they abide by professional and ethical standards as well.
Laws, Regulations, and Standards
Throughout the CSOL courses we were constantly directed to research any applicable Laws, Regulations, and Standards that may drive our decision making throughout not only through the program, but also in our professional careers. In particular, when creating our mock Operational Security Policy for the fictional healthcare company (HIC, Inc.), understanding the laws and regulations surrounding the healthcare industry were paramount in making sure I was within compliance. Especially those regulations set forth by the U.S. Department of Health and Human Services (HHS) and the Health Insurance Portability and Accountability Act (HIPAA).
Data Classification and Security Policy Model
Along the same lines of importance as being compliant with applicable Laws, Regulations, and Standards are how to properly identify and classify the various types of data within your organization. The Asset Identification and Classification Policy I created for our fictional company establishes a process for classifying and handling Information Assets based on their level of sensitivity, value, and criticality to the company. The procedures outlined in the assignment speak to the specific actions and processes that will assist Information Systems Owners in implementing the policy requirements related to Information Asset Management and Information Classification. This policy helps employees understand the value of the informational assets and to allocate resources to protect them. Asset Classification follows the accepted principles for Confidentiality, Integrity, and Availability to show the worth or value of the asset to company. Asset Identification is equally important, as my fictional company (HIC, Inc.) electronically tracks and monitors all information assets against the Asset Classification Policy based on ownership.
Policy Implementation, Enforcement, and Compliance
Creating a policy can be tedious and time consuming and generally only represents intentions until it is implemented. So, making sure the policy you’ve written for your company is being enforced by either training, continuous monitoring, or audits are staples of ensuring compliance within your organization. Continuing with my fictional company, HIC, Inc., I was able to create a policy for Implementation, Enforcement, and Compliance Plan. As this is an important requirement for the company as it allows HIC, Inc. to put in motion our information security policies with the understanding on how we ensure the polices are being enforced and remain compliant through the systems life-cycle. To ensure the effectiveness of our information security policies, it is paramount to HIC, Inc that our executive management not only sponsor our security goals, but also lead by example in adhering to the polices set forth.
CSOL 540 Reflections
If working in an I.T. Industry supporting the U.S. Government has taught me anything, its if there is ever an issue there will be twenty new policies on the matter the next day that will spawn updates to regulations or new ones all together. With technology advancing so quickly, regulators have a near impossible job to keep up with the changes. As such we see many of these new laws being thrown together as a reactionary response to some breach or cyber attack that must be dealt with quickly. However, more often then not, those laws are generally amended to adjust for more accurate representation of their true intent. Comparing this to just ten to fifteen years ago, the technology wasn’t at use like it is today and the men and woman responsible for drafting these laws lacked the foresight and
technical knowledge to prepare in advance. The drawbacks to compliance everywhere are not all laws and regulations are a one size fits all. Looking back on the CSOL 540 course, it opened my eyes more as to the flexibility in policy creation and more so on a myriad of ways to implement changes through your company with proper enforcement.
technical knowledge to prepare in advance. The drawbacks to compliance everywhere are not all laws and regulations are a one size fits all. Looking back on the CSOL 540 course, it opened my eyes more as to the flexibility in policy creation and more so on a myriad of ways to implement changes through your company with proper enforcement.
Operational Policy References
Family Educational Rights and Privacy Act
Federal Information Security Modernization Act of 2014
Gramm-Leach-Bliley Act
Health Insurance Portability and Accountability Act
NIST SP 800-53 Revision 5: Security and Privacy Controls for Information Systems and Organizations
NIST SP 800-66: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule
Family Educational Rights and Privacy Act
Federal Information Security Modernization Act of 2014
Gramm-Leach-Bliley Act
Health Insurance Portability and Accountability Act
NIST SP 800-53 Revision 5: Security and Privacy Controls for Information Systems and Organizations
NIST SP 800-66: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule