HIPAA/SECURE:
Security Q/A
July 2002
"The Best Way to Develop Security Policies"
by Eric Maiwald, CISSP, Chief Technology Officer,
Fortrex Technologies, Inc.
QUESTION: Based on the proposed HIPAA requirements, we know
that we will need to develop security policies. What is the best
way to go about this?
ANSWER: There are several issues that need to be addressed
when writing policy. Even before you start writing, make sure you
understand the culture of the organization. The culture of the organization
will help you to define acceptable behavior (especially in terms
of Internet and computer use).
As you begin to work on policy, try to identify how the policies
will fit together. Writing a low level procedure may turn out to
be the easiest, but it may impact how higher level corporate policy
may be written. Therefore, starting with some of the higher level
documents may be more appropriate.
Once you have decided where to start make sure you include stakeholders
in the process. A stakeholder is someone who has a vested interest
in what the document says and how it will be implemented. I have
seen a number of cases where policies (and occasionally entire security
departments) have failed because the process did not include influential
stakeholders from other departments.
Since the policies are security issues, security should drive the
process. Bring the stakeholders together and provide them with an
outline for the policy in question along with some points to be
covered in each section. Discuss each point with the stakeholders.
If you have stakeholders who want to water-down the policy too much,
explain to them the risks to the organization and why the policy
needs to be appropriate to help manage the risk. After the meeting,
go off and put text to each section. Send the text out for comment
and go over the comments with the stakeholders at the next meeting.
Continue this process until you have a general consensus from the
group. Then you have something you can take to management for final
approval.
Once you have approved policies you will need to implement them
across the organization. Please resist the temptation to just "make
it so." It is important to begin awareness training with employees
before you implement policies that will impact them. For example,
if you decided to change the password policy for the organization
without showing employees what the new policy will be, it is likely
that your organization's help desk will be overwhelmed with calls
when the new policy goes into effect.
Read past HIPAA / SECURE Q/A articles.
Fortrex Technologies, a Phoenix Health Systems security partner,
provides enterprise security management services and information
security process and monitoring services for healthcare and other
industries. www.fortrex.com
|
