Does Your Business Have an Information Security Policy

Your business must have a viable information security policy if you use computers to process transactions that retain valuable or confidential information. Most businesses operate without one.

Having a formal plan to protect your organization’s confidential information is a “no-brainer”. Without one, you are documenting a lack of due diligence on your part. Persons who would file a lawsuit against you for the disclosure or loss of their confidential information would likely win in a court of law. You are setting yourself up for potential financial losses unless you have an information security policy and follow through upon it.

An information security policy is a set of rules or requirements that govern how your organization and its employees strive to manage its digital resources and assets in a safe manner. The reason for adopting controlling statements to protect digital assets is to provide a structure to assure the confidentiality, integrity and availability of data resources for decision-making.

Included in information security or data assurance policies would be statements that describe how a structured information asset inventory is conducted, a description of a comprehensive risk assessment program, a statement on how information assets are to be appropriately used, a description of how data encryption shall occur, an incident response plan, an outline of safe work practices, how the management of change should occur and a statement that outlines what forensic and business continuity plans and more. Read the rest of this entry »