The Regulatory Requirements for Written Information Security Policies
Some organizations still receive little management support or funding for a sound
information security policy program. Within the last several years, however, numerous federal,
state and international regulations have been passed that require the protection of information. Many organizations are now enhancing their information
security policies in response to legal and regulatory requirements.
In some cases, these regulations are very specific about the requirements for written
security and privacy policies. In other cases, a regulation simply requires safeguards that
are "appropriate" for the size and type of organization. In these cases, enforcement agencies and auditors must defer to accepted best practices or frameworks for guidance, all of which require written policies. Examples of these are the Generally Accepted Information Security Principles (GAISP),
Control Objectives for Information Technology (COBIT®) and ISO/IEC 17799.
The following table contains a partial list of security or privacy-related regulations and their
specific information security policy requirements. Where appropriate, the list includes the security
policy requirements of several key frameworks used to manage compliance with various regulations.
Regulatory Requirements for Information Security Policies
| Regulation/Framework |
Industry/Country |
Policy Requirement |
| HIPAA (Health Insurance Portability and Accountability Act of 1996) Security Final Rule |
Healthcare (U.S.) |
Policies and Procedures 164.316 (a) (R) Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart. |
| Sarbanes-Oxley Act, Section 404 - based on COBIT (Control Objectives for Information Technology) Control Objectives, Section 6: Communicate Management Aims and directions. |
All Publicly Traded Companies (U.S) |
6.2 Management's Responsibility for Policies “Management should assume full responsibility for formulating, developing, documenting, promulgating and controlling policies covering general aims and directives.” |
| New Basel Capital Accord (Basel II)- Quantitative Standards, Section 606 |
Banking (International) |
(e) The bank's risk management system must be well documented. The bank must have a routine in place for ensuring compliance with a documented set of internal policies, controls and procedures concerning the operational risk management system, which must include policies for the treatment of non-compliance issues. |
| Gramm-Leach-Bliley Act (GLBA) Title V - Section 501 Interagency Guidelines Establishing Standards For Safeguarding Customer Information |
Financial Services (U.S.) |
“Each Bank shall implement a comprehensive written information security program [policies] that includes administrative, technical and physical safeguards.” |
| FERC Cyber Security Standard CIP-003-1 Security Management Controls |
Energy/Infrastructure (U.S.) |
Requirement 1. The Responsible Entity shall create and maintain a cyber security policy that addresses the requirements of this standard and the governance of the cyber security controls. |
| Federal Information Security Management Act (FISMA) NIST SP 800-26 |
Federal Government (U.S.) |
“(a) The head of each [Federal] agency shall delegate to the agency Chief Information Officer ensuring that the agency effectively implements and maintains information security policies, procedures, and control techniques;” |
| PIPEDA (Bill C6) - Personal Information Protection and Electronic Document Act |
All Industries (Canada) |
4.1 Principle 1 - Accountability Organizations shall implement policies and practices to give effect to the principles. 4.8 Principle 8 - Openness Organizations shall be open about their policies and practices with respect to the management of personal information. |
| EU Data Protection Directive |
All Industries (European Union) |
Organizations must "implement appropriate technical and organizational measures to protect personal data." |
| ISO/IEC 17799 Section 1.1 Information Security Policy Document |
Security Framework |
A written policy document should be available to all employees responsible for information security. |
| GAISP - Generally Accepted Information Security Principles, Version 3.0 Section 3.1 Information Security Policy |
Security Framework |
Management shall ensure that policy and supporting standards, baselines, procedures, and guidelines are developed and maintained to address all aspects of information security. |
This table is one of the many resources available within Information Security Policies Made Easy.
