Policy Implementation and Enforcement - Policies to protect information assets is well defined and in accordance with all applicable laws and regulations. However, it is not enough to simply create policy documents without also implementing the mechanisms to enforce and ensure compliance to these policies. This page summarizes the implementation, enforcement and monitoring plan at a health care insurer for the policies that have been developed. This information security plan will ensure that policies, standards, guidelines, and procedures are implemented, monitored for compliance, assessed and monitored to insure continued relevancy.
General Implementation Plan
A risk management approach is used to develop policies, standards, guidelines and procedures balanced with business operational considerations that address the following security goals:
Methods like training, awareness, highlighting career benefits and being clear about consequences have all shown to be effective means to overcoming roadblocks to implementations (Korolov, 2015). Thus, the insurer will allocate funds from the budget and align with management to develop these programs.
Monitoring and Reporting
Executive leaders are expected to lead by example and to direct management to execute on a day-to-day basis. Managers are responsible to make sure all Workforce Members understand the new policies and that they are ready to implement them, and enforce the policies at the employee level.
The CEO is ultimately responsible for the financial performance of the company and needs to have a role in the process. This role is that of the Risk Executive and is responsible for providing oversight and promoting collaboration and corporation among organizational entities. The Chief Compliance Officer has a leadership role on the implementation and ensures an effective continuous monitoring program is established for the organization (Keller, 2016).
The baseline of the state of our system will be captured and maintained through periodic updates. After each update, the baseline is reset to the new standards. This will reduce the risk of malware infecting the systems. Periodic and random audits will be performed against our systems to provide an objective assessment of vulnerabilities.
Communication
Our communication strategy will follow a principle of “3 C’s”; Clear, Concise and Compelling. It will be delivered in plainly spoken prose with minimal legal jargon. Moreover, it will be to the point. This tenant will ensure the message is consumable quickly with high impact. Finally, it will contain credible and relevant information that will inspire action. For this to be effective, executive support must be visible. Short digital assets will be created with the CEO endorsing the program and asking for 100% employee commitment.
Accountability will start at the top of the organization. Executive leaders are expected to lead by example and to direct management to execute on a day-to-day basis. Managers are responsible to make sure all Workforce Members understand the new policies and that they are ready to implement them, and enforce the policies at the employee level.
Training
Employee awareness is one of the most effective means of reducing the risk and impact of a breach. For example, companies with security in mind and conducted security awareness training for employees had an average financial loss of $162,000 while companies without training reported an average of $683,000 (Dimov, 2017). Further, awareness has been shown to be one of the most effective means to overcome roadblocks to security implementations Thus, security Investments will be made in developing awareness programs to overcome roadblocks to the implementation.
Given the number of remote offices in most insurers, training will not be classroom based; it is best to implement creative and fun on-line training programs that educate, test and create awareness. All staff will be provided regular awareness training and education. Without such training and education, personnel will not know what they are to do nor why they are to do it.
Training and education programs need to emphasize (Stahl, 2011):
A risk management approach is used to develop policies, standards, guidelines and procedures balanced with business operational considerations that address the following security goals:
- Ensure all employees, contractors, consultants, suppliers and affiliated 3rd parties understand the importance of safeguarding information, ultimately protecting the confidentiality, integrity and availability of the information assets
- Protect information from unauthorized access, disclosure, loss or misuse
- Ensure compliance with government laws and regulations
- Enhance our brand and further build confidence of our customers and shareholders
Methods like training, awareness, highlighting career benefits and being clear about consequences have all shown to be effective means to overcoming roadblocks to implementations (Korolov, 2015). Thus, the insurer will allocate funds from the budget and align with management to develop these programs.
Monitoring and Reporting
Executive leaders are expected to lead by example and to direct management to execute on a day-to-day basis. Managers are responsible to make sure all Workforce Members understand the new policies and that they are ready to implement them, and enforce the policies at the employee level.
The CEO is ultimately responsible for the financial performance of the company and needs to have a role in the process. This role is that of the Risk Executive and is responsible for providing oversight and promoting collaboration and corporation among organizational entities. The Chief Compliance Officer has a leadership role on the implementation and ensures an effective continuous monitoring program is established for the organization (Keller, 2016).
The baseline of the state of our system will be captured and maintained through periodic updates. After each update, the baseline is reset to the new standards. This will reduce the risk of malware infecting the systems. Periodic and random audits will be performed against our systems to provide an objective assessment of vulnerabilities.
Communication
Our communication strategy will follow a principle of “3 C’s”; Clear, Concise and Compelling. It will be delivered in plainly spoken prose with minimal legal jargon. Moreover, it will be to the point. This tenant will ensure the message is consumable quickly with high impact. Finally, it will contain credible and relevant information that will inspire action. For this to be effective, executive support must be visible. Short digital assets will be created with the CEO endorsing the program and asking for 100% employee commitment.
Accountability will start at the top of the organization. Executive leaders are expected to lead by example and to direct management to execute on a day-to-day basis. Managers are responsible to make sure all Workforce Members understand the new policies and that they are ready to implement them, and enforce the policies at the employee level.
Training
Employee awareness is one of the most effective means of reducing the risk and impact of a breach. For example, companies with security in mind and conducted security awareness training for employees had an average financial loss of $162,000 while companies without training reported an average of $683,000 (Dimov, 2017). Further, awareness has been shown to be one of the most effective means to overcome roadblocks to security implementations Thus, security Investments will be made in developing awareness programs to overcome roadblocks to the implementation.
Given the number of remote offices in most insurers, training will not be classroom based; it is best to implement creative and fun on-line training programs that educate, test and create awareness. All staff will be provided regular awareness training and education. Without such training and education, personnel will not know what they are to do nor why they are to do it.
Training and education programs need to emphasize (Stahl, 2011):
- The enterprise’s need to secure critical information assets.
- Management’s commitment to securing the critical information assets.
- Each person’s individual responsibilities for securing critical information assets
- Consequences for failure to abide by the policies and standards, both organizational and individual
References
Dimov, I. (2017, August 29). Security Awareness Statistics. Retrieved April 28, 2018, from
http://resources.infosecinstitute.com/category/enterprise/securityawareness/security-awareness-fundamentals/security-awareness-statistics/#gref
Elmy-Liddiard, M. (2002). SANS Institute InfoSec Reading Room. Retrieved April 28, 2018, from https://www.sans.org/reading-room/whitepapers/policyissues/building-implementing-information-security-policy-509
Keller, N. (2016, October 07). Cybersecurity Framework FAQs Relationship Between the Framework and Other Approaches and Initiatives. Retrieved April 28, 2018, from https://www.nist.gov/cyberframework/cybersecurity-framework-faqs-relationship-between-framework-and-other-approaches-and
Korolov, M. (2015, September 30). Does security awareness training even work? Retrieved April 28, 2018, from https://www.csoonline.com/article/2987822/data-protection/does-security-awareness-training-even-work.html
Stahl, S., Ph.D., CISA, CISM, & Pease, K., CISSP. (2011, August). Seven Requirements for Successfully Implementing Information Security Policies and Standards. Retrieved April 26, 2018, from https://citadel-information.com/wp-content/uploads/2010/12/seven-requirements-for-successfully-implementing-information-security-policies-1108.pdf
Dimov, I. (2017, August 29). Security Awareness Statistics. Retrieved April 28, 2018, from
http://resources.infosecinstitute.com/category/enterprise/securityawareness/security-awareness-fundamentals/security-awareness-statistics/#gref
Elmy-Liddiard, M. (2002). SANS Institute InfoSec Reading Room. Retrieved April 28, 2018, from https://www.sans.org/reading-room/whitepapers/policyissues/building-implementing-information-security-policy-509
Keller, N. (2016, October 07). Cybersecurity Framework FAQs Relationship Between the Framework and Other Approaches and Initiatives. Retrieved April 28, 2018, from https://www.nist.gov/cyberframework/cybersecurity-framework-faqs-relationship-between-framework-and-other-approaches-and
Korolov, M. (2015, September 30). Does security awareness training even work? Retrieved April 28, 2018, from https://www.csoonline.com/article/2987822/data-protection/does-security-awareness-training-even-work.html
Stahl, S., Ph.D., CISA, CISM, & Pease, K., CISSP. (2011, August). Seven Requirements for Successfully Implementing Information Security Policies and Standards. Retrieved April 26, 2018, from https://citadel-information.com/wp-content/uploads/2010/12/seven-requirements-for-successfully-implementing-information-security-policies-1108.pdf