There are many sites with security policies on the Internet, such as Universities recommending what to do and not do.
A security policy is a guideline to employees and users of network and computing resources for the safety and security of data and resources.
It is good to know what one is supposed to do, it should be clear and easy to understand. A reference for the users to work
Of course HIPAA and PCI compliance each require a security policy, and each standard has different but similar requirements. Both require an inventory of assets. The differences are in who is supposed to follow the standards, and what are the consequences if not followed.
PCI has financial penalties, whereas HIPAA has financial and criminal penalties. (If gross negligence and/or facilitation occurred)
There are a lot of policy templates to choose from to decide how to compile your own security policy(SANS has a free area to start from):
Sections of the security policy are the following:
Network security, server security, application security, mobile security, wifi security.
The General Security area includes what to Encrypt, document retention, disaster recovery, email, ethics, password, end user encryption, incident response(physical and digital).
There could be a general hiring, firing policy as well.
So what does the security policy really do? It is a document that employees can reference if there is a question on what to do in situations.
If there is a budget meeting and software updates are discussed, anti-virus, firewalls, IDS/IPS(Intrusion Detection Systems/Intrusion prevention Systems) have to be purchased and maintained. If you are looking for cost cutting these are not the spots to cut.
As new marketing programs are installed, they must be vetted for security as well as function. The passwords installed have to be inline with the password policy.
As new items are purchased or maintained these policies must be adhered to.
How about buying a new Infusion Pump?
Unfortunately Hospira’s Symbiq medication Infusion pump did not have a security policy to adhere to.
Maybe before buying new devices ask “how secure is the device?”
Oversitesentry has highlighted this problem on June19:
The Security Policy can save you from future breach headaches or at least you will know what to do with an Incident Response(IR) plan in place if-when a breach does occur.
Creating a security policy is the first step in your path to a more secure workplace.
It is a must in 2015, and can save you many dollars in reputation and breaches.