Information Security Policy Development
- the FTC (through enforcement actions against Microsoft, ChoicePoint, Eli Lily, et al.)
- Sarbanes-Oxley (through regulation of internal controls for financial reporting), Gramm-Leach-Bliley and HIPAA (through a maze of regulations like the FTC’s Safeguards Rule, the Interagency Security Guidance, and the HIPAA Privacy and Security Rules)
- State breach disclosure laws (e.g., California led the way; nearly all the other US States have followed)
- the types of data handled by you and by your service providers
- the risks associated with lost, leaked, or corrupted data
- your particular IT environment (technology, management, processes, etc.)
- best-practices employed at your peer companies
- legal requirements for data security, including the applicability of breach notification laws After the assessment, we’ll work with you to define the boundaries of an appropriate policy (one that satisfies both legal and operational requirements), and work with your legal, IT, security, and operations managers to produce a jointly owned policy with detailed roles and associated training tools.
For incident planning, we’ll help you identify relevant team members (legal, operations, media relations, IT) and build pre-incident liaisons with appropriate law enforcement and ISP representatives. We’ll help make sure that the team members understand the issues and their options before a security breach, so their decision-making during the crisis is reasoned and effective. If the worst happens, we’ve experience managing the crisis with dispatch, and converting a crisis into a marketing opportunity.