Regulatory and legal compliance is an ongoing challenge, especially for small businesses who have plenty of other work to do. We can help you with templates and examples to be sure you are meeting the legal and business requirement that will keep your business safe.
Make sure you are compliant with security and data confidentiality laws, and that your Web site has the required Privacy disclosure. Include a computer use policy in your Employee handbook or procedures.
CAN-SPAM Act – If you send email newsletters or ads
E-Discovery laws – Civil Litigation
California Notice of Breach Law – Identity Theft
PCI – If you Accept Credit Cards
Red Flag – Protect sensitive personal information
FACTA – Printing receipts that prevent identity theft
HIPAA – Medical Records
Sarbanes-Oxley – Publicly Traded Corporations
FISMA – Federal Government contractors
Privacy Policies – If you collect information on your website
The Children's Online Privacy Protection Act – Web site privacy
Many security regulations share a common theme - they define good practices without getting too specific about the specifics. They wisely realize that technology changes quickly, and what is secure today is obsolete tomorrow. You will need a security policy and a security plan, along with clearly identified business roles with accountability for IT security.
The Security policy should not be technology specific. It should define the need for security, and establish the needed business processes and roles needed to establish and maintain IT security. It also should define what topics should be convered by a security plan, and the desired business results.
The security plan includes a statement or inventory of current security systems, identifies gaps between where you are and where you should be, and establishes a plan for getting there. It also establishes the process for maintaining good security, including regular reviews. It addresses the procedures and processes for responding to a security incident should there be one. The security plan will change as needed to address changes in the business and in technology.
There are a lot of packaged "Security Policies" for HIPAA and other compliance requirements. Many have good templates. They cannot substitute for a going through the needed thinking and analysis to determine what is right for your business.
Here are some resources for developing your policy and plan:
www.sans.org - Provides best practices and training for security professionals
www.cert.org - Another standards and training organization
http://csrc.nist.gov/groups/SMA/fisma/index.html - Government resources on IT security
http://cisecurity.org Center for Internet Security
http://www.network-and-it-security-policies.com/ - examples and security policy resources
As you investigate IT security, you will discover that there are well established best practices for IT management which provide a foundation for good security. Here are some starting points:
http://www.iso.org/iso/support/faqs/faqs_widely_used_standards/widely_used_standards_other/information_security.htm International Standards Organization - IT security section
http://www.itil-itsm-world.com/ ITIL is a library of best practices for IT management.
http://www.itlibrary.org/index.php ITIL resources
http://www.riskworld.net/ COBRA resources. COBRA is a methodology for IT management.
http://www.oissg.org/ Security assessment framework
http://www.opengroup.org/security/ The open group advocates standards for IT security.
https://www.isfsecuritystandard.com Information Security Forum Standard of Good Practice