Forum for Information Security

Assurance & ComplianceJuly 7, 2005 12:42 pm

Security Policies - Worth the trouble?

No one wants to write security policies, but every company needs one. Right?

Here is an example of what to avoid:

The general process is that the person assigned will copy a policy from another company, change the names, and submit it for acceptance. The result is that no requirements were identified, no issues were properly addressed, and a solution that was specifically developed for another company has been used as a best hope of solving the current company’s requirements.

A robust IT security policy is key to any enterprise IT security program. If there are flaws and loopholes in the security policy, then these problems are likely to get compunded later.

Food for thought…

RiOn

Comments (0)
Assurance & Compliance 12:41 pm

Security Standards in Banking

Most US Banks use the SAS70 standard as a management and control review system to comply with regulatory stipulations. European Banks mainly go for the EU Data Directive (which covers security and privacy) and BS7799. Banks in Australia / NZ use the AS/NZS4444 (which is a derivative of BS7799). In India, we don’t have a security standard that banks must necessarily implement, nor do we have guidelines from the Reserve Bank or the Ministry of Finance.

Logically, tweaking a standard like the ISO17799 should work fine - depending on reporting and compliance requirements, additional controls should be specified and implemented. This is where the RBI or even an industry body can provide inputs which can be incorporated into a variant of the standard.

More on estanlishing a security standard for use by Indian Banks later.

Post your comments online.

RiOn

Comments (0)