Updates, Guidance, and Stories from the Urbane team.
Socializing New Policies
In the last Back to the Basics post, we discussed starting the writing process for security policies and procedures. Once you have the initial draft completed and upper management has signed off on it, what do you do next?
Many organizations will consider it final at that point and push it to the repository where documentation goes to be stored and largely unread. Ensuring that your employees are engaged in the process or at least interested enough to open the documents is another challenge.
Getting Started With Your First Information Security Policy
Have you ever been tasked with writing a security policy and feel completely lost as to where to start?
This feeling is a normal one that we have seen time and time again in our respective consulting careers while doing security assessments. At some point, a member of the security team is tasked with writing a policy for the organization in order to fill a compliance need, but aren’t given any further guidance or framework to the content and format. Uncertain of how to fully complete the policy, one usually starts with Google looking for templates and examples of policy from other organizations they can borrow from. This results in a pasted together collage of policies and standards which may meet compliance requirements, but aren’t integrated with daily practices.
While this scenario is all too common, it doesn’t have to be. Given a little time and care, it is possible to create a set of policy and procedural documents without a lot of headache.
To Infinity, (Above) and Beyond!
The Payment Card Industry Data Security Standard (PCI DSS) is no longer a fledgling framework. The thought and process that has gone into the revisions to mature the PCI DSS has created a prescriptive list of controls that any organization would do well to follow. However, even the PCI Security Standards Council steadfastly maintains that the PCI DSS is only a baseline of controls. So let’s go through a thought exercise about additional controls that are not in the PCI DSS but could be used improve the security of your environment.