Security Awareness Policy
Security Awareness Policy
(statement 1)
The Information Security (IS) team is responsible for promoting ongoing security awareness to all information system users. A Security Awareness program must exist to establish formal methods by which secure practices are communicated throughout the corporation. Security guidance must exist in the form of formal written policies and procedures that define the principles of secure information system use and the responsibility of users to follow them.
Security awareness articles, posters, and bulletins should be periodically created and distributed throughout the corporation to educate employees about new and existing threats to security and how to cope with them. All employees are responsible for promptly reporting to their management and Information
Systems (IS) management any suspected insecure conditions or security violations they encounter. All employees must be made aware of their security responsibilities on their first day of employment as part of the newhire orientation program. All employees must comply with IS security policies by signing a compliance agreement that is retained in their personnel file. IS Security policies and procedures must remain current and readily available (e.g., via the intranet site) for Information System users to review and understand them. Information
Systems (IS) management must ensure that the terms and conditions of authorized system access are clearly communicated to potential users of those systems before access is granted. A formal process must exist to document that appropriate management was aware of and approved all access and privileges granted to corporate system users.
Justification:
Organizational security awareness is an essential part of the corporate security posture.
Information is one of the most valuable assets owned by the corporation, and securing information is the responsibility of every employee. Many security breaches
(statement 1)
The Information Security (IS) team is responsible for promoting ongoing security awareness to all information system users. A Security Awareness program must exist to establish formal methods by which secure practices are communicated throughout the corporation. Security guidance must exist in the form of formal written policies and procedures that define the principles of secure information system use and the responsibility of users to follow them.
Security awareness articles, posters, and bulletins should be periodically created and distributed throughout the corporation to educate employees about new and existing threats to security and how to cope with them. All employees are responsible for promptly reporting to their management and Information
Systems (IS) management any suspected insecure conditions or security violations they encounter. All employees must be made aware of their security responsibilities on their first day of employment as part of the newhire orientation program. All employees must comply with IS security policies by signing a compliance agreement that is retained in their personnel file. IS Security policies and procedures must remain current and readily available (e.g., via the intranet site) for Information System users to review and understand them. Information
Systems (IS) management must ensure that the terms and conditions of authorized system access are clearly communicated to potential users of those systems before access is granted. A formal process must exist to document that appropriate management was aware of and approved all access and privileges granted to corporate system users.
Justification:
Organizational security awareness is an essential part of the corporate security posture.
Information is one of the most valuable assets owned by the corporation, and securing information is the responsibility of every employee. Many security breaches
References: HIPAA,. (2014). Retrieved 19 November 2014, from http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityrulepdf.pdf PCI DSS,. (2014). Retrieved 19 November 2014, from PCI DSS,. (2014). Retrieved 19 November 2014, from https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf NIST,. (2014). Retrieved 19 November 2014, from NIST,. (2014). Retrieved 19 November 2014, from http://csrc.nist.gov/publications/nistpubs/80092/SP80092.pdf NIST,. (2014). Retrieved 19 November 2014, from PCI DSS,. (2014). Retrieved 19 November 2014, from https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf ISO,. (2005). ISO/IEC 27002:2005(E), Information technology — Security techniques — Code ISO,. (2013). ISO/IEC FDIS 27001:2013(E), Information technology — Security techniques — Information security management systems — Requirements. (2013). Retrieved from http://www.iso.org/ Qcode.co.uk,. (2014). PCI DSS Requirement 8: Part 3 – User & Password Policy « Qcode Software, S. (2014). HIPAA Compliance Checklist for Password Security. Webdrive.com,. (2014). Terminology. Retrieved 24 November 2014, from Whaley, A. (2012). Are Your Passwords Secure AND HIPAA Compliant?. Manage My Practice. Retrieved 19 November 2014, from