Information Security Policy

Information Security

The Security Policy website has Information Security, Risk Management, Information Security Policy and data security resources. Here you can find IT Security Policy and security best practices related to regulatory compliance including ISO Standards and financial data security concerning PCI Security Policy and Sarbanes Oxley compliance.

Security Policy

A Security Policy is a plan of action adopted by an organization to define how it plans to protect the organization's physical, information and human resource assets. A security policy can incorporate many different types of rules for the protection of information and assets including specific security policies for network security and security software. A well-defined and documented information security policy plays a critical role in developing a complete and comprehensive information security policy to describe the controls the enterprise will use to manage risk and protect information and physical assets.

Risk Management

Basics of Risk Management

Exposure to a chance of loss or damage tends to make companies and organizations more risk averse. In the ever-changing business world, enterprise Risk Management attempts lessen the seriousness or extent of risk when possible through best practices (ITIL) and security standards (ISO 27002, ISO 27005, PCI). The management of risk is even more strongly marked with regards to finance and insurance. The state of having financial security being vulnerable or exposed leads companies to maintain programs of financial risk management (Solvency 2) and governments to issue regulatory laws (Sarbanes Oxley in the United States and Basel II in Europe) and security regulations (HIPAA, GLBA) attempting to preserve and maintain desired outcomes.

Risk Management Policy

Proven methods of Risk Management Policy used to identify risks and analyze potential impacts exist, still only a relatively small group tend to fully use these systematic ways of enterprise risk management to identify and analyze potential impact on critical activities and implement security policy best suited to protect the assets of the organization.

Security Policy

With each passing day, more information and data becomes available as investment by companies related to information systems increases. Information used to identify risks and analyze their potential impacts necessitates that information systems Security Policy becomes a more significant factor and organizations must choose security measures appropriate to the risk and circumstances involved. Interest in ITIL and Capability Maturity Models (CMM and CMMI) integration provides evidence that an awareness and knowledge of gradual improvement is developing. Information security policy and risk management related to information technology (IT) will continue to gradually integrate itself into the business processes of organizations.

Corporate Compliance

Corporate Regulatory Compliance

Companies are facing an increase in time and financial resources necessary develop appropriate security policy and corporate compliance plan to ensure corporate regulatory compliance with the promulgation of national regulations and professional and corporate governance standards being put into effect in the world economy. Participants include both large and mid-sized publically traded companies who must adapt to more rigorous and exacting measures pertaining to security compliance for payment card and credit card processing and management certification of internal control for financial reporting.

Regulatory Compliance

Corporate governance and compliance laws which are having an impact on companies worldwide include:

Compliance Laws

Sarbanes Oxley Act (SOX)

US rules on accounting and corporate governance. Sarbanes Oxley Compliance is overseen by the Securities and Exchange Commission (SEC).

J-SOX

Japanese standards for evaluation and auditing of internal controls based on the Financial Instruments and Exchange Law with intended goals similar to those of SOX compliance.

Multilateral Instrument MI 52-109 Canadian regulations on the certification of the financial information delivered in the annual reports of Canadian companies including TSX-listed companies and companies with a real and substantial connection to Ontario.

Bill 198

Canadian legislation giving authority to the canadian securities administrator to develop an instrument requiring CEOs and CFOs to certify annual and interim finacial filings. Bill 198 has characteristics similar to those of sarbanes oxley compliance Section 302.

MI 52-109

Gramm Leach Bliley Act (GLB Act)

The Financial Modernization Act of 1999 is a set of US regulations to protect personal financial information held by banks and other financial institutions.

PCI DSS Payment Card Industry

Digital security standards to enhance the security of payments and ensure privacy of customer financial information.

HIPAA

The Health Insurance Portability and Accountability Act enacted by the US Congress in 1996 are regulations for the protection of medical information including privacy requirements, a HIPAA compliance statement and security regulations related to health plans and coverage under group health insurance.

LSF

Loi de Sécurité Financière is a French law for companies' internal controls to improve transparency of financial reports. The law's aims are closely related to those of the Sarbanes Oxley Act in the United States.

Basel II

International capital framework governing the capital of banks worldwide. The Basel Accords consist of recommendations on banking compliance laws and rules issued by the Basel Committee on Banking Supervision.