This is part two of four-posts series derived from the ILTA 2012 Conference session “A LegalSEC Workshop: Security Design and Implementation Best Practices.” In the first post we focused on the discussion about Security Awareness Training that we had at this session, which was led by Mark Brophy. This time we will focus of the discussion led by Judith Flournoy around Policies and Procedures. Let’s dive in.
Policies and Procedures
At the session we heard what policies are currently in demand at most firms and the list is long. Within the next few weeks we will deliver the first set of LegalSEC Policy Templates, so you can grab them and adjust them to your firm. Below is the list of these policies. We realize this is a short list, but there will be many more coming in 2013.
- Acceptable Use Policy
- Mobile Security
- Data Protection (Client Data)
- Social Media
- Unauthorized Software
- Security Awareness (Policy)
- Use of Electronic Devices in High Risk Foreign Countries
- Security Assessment RFP
Where we believe we will be adding value is not in the policies themselves but in the format that we are delivering. In addition to the actual policy and a language that we believe is appropriate for our environment, we are also trying to match these policies to current controls and different regulations, and identify what current controls the firm has in place to enforce the policies.
Here is an example of what the Information Security Awareness Training maps to, and you will see this in all of the policies that we develop.
|
Standard
|
Mapping
|
|
ISO
|
8.2.2; 8.1.3
|
|
CObIT
|
PO4.6; PO6.2; PO6.4; PO7.2; PO7.4; PO7.7; PO7.1; PO7.3; PO2.3; AI1.1; DS5.1; DS5.2; DS5.3; DS7.1; DS7.2
|
|
HIPAA HITECH
|
164.308 (a)(5)(i) (R)
|
|
GLBA
|
Safeguards Rule 314.4: (b)
|
|
SOX
|
DS 7.2
|
In addition to delivering Policy Templates, we will also make recommendations on how to monitor compliance with policies, which is one of the challenges of an Information Security Program. As with a Security Awareness Program, we will try to provide guidance on getting buy-in from the firm and provide guidelines for creating an Information Security/Risk Management Committee, including Membership Criteria, Reporting, and Policy Review Frequency.
Finally, we will make a big push to cover Disaster Recovery and Business Continuity next year, as we see this as an integral part of the LegalSEC effort and a critical aspect of any Information Security Program.
Our next post will cover Security Control
#ServerOperationsandSecurity #LegalSEC