Checks We Perform

An information security policy is key to an effective security compliance management program. The policy should describe the security standards with which the organization intends to comply. It is important to define the scope of your policy according to business needs, organizational structure, and compliance goals to ensure relevant aspects are not excluded.

Security compliance management requires leadership and clear communication with stakeholders throughout the organization. Your information security policy should assign responsibility for the security program to at least one of the following roles: A leader with authority to sponsor security compliance projects. This may be an executive or a security compliance steering team with executive support. A compliance manager or managers with information security expertise. The compliance manager is responsible for overseeing compliance projects that integrate security compliance throughout the business.

Separation of duties for compliance and security personnel brings accountability to operational functions. When security or compliance reports to technology leadership, conflicts of interest may arise. At a minimum, a dotted line directly to the board is necessary to communicate findings that compromise the organization's objectives for compliance and results.

Effective internal control involves accountability. Your policies should define standards and allow for corrective measures when employees deviate from expectations. Articulating the progressive methods of discipline brings teeth to the policy.

With the increase of remote workplaces comes a number of policies that need to be updated to encourage productivity, security, and efficiency. Whether it's desktops, laptops, tablets, or smartphones, employees must have a clear and thorough understanding of how they should use personal or company devices securely. The information security policy that you've developed for your company should be adjusted to fit the needs of your remote employees by providing a deeper focus on remote security. Defining access controls for remote employees is critical in environments the organization does not fully control.

Your information security program should address how your organization expects passwords to be managed. For example, do you have password policy enforcement? Do you have a password reset process? Do you allow fewer change intervals because there is a password breach monitoring process? Employees should clearly understand how to manage their passwords and make changes when compromises occur.

Policies should require audit and accountability requirements in the form of system logs. Personnel deploying systems and applications should understand the organization’s requirement for log generation, centralization, and alerting to ensure proper configuration. Personnel responsible for monitoring systems need policies and procedures to define what is expected to be monitored and how log reviews occur. This documentation is integral to your network monitoring and incident response programs.

Your personnel hold the keys to protecting data during storage and transmission. Educating them on proper protection methodologies, such as encryption, is a must. Your policies and procedures should guide them on how and when to apply protections to protect against data loss.

Any new system or application that is acquired or developed should be onboarded to the organization's security standards. Your policies should guide the personnel responsible for selecting these systems to ensure they can comply with the policies. The development team should follow policy to incorporate security in development. Testing strategies should be included in your policies so new systems are required to go through an evaluation to ensure proper security configuration.