Monday, June 16, 2008

Confidential Information Handling Policy

I have just started to consolidate several best practices and operational procedures for handling confidential information. I am using the results of this effort to set a confidential information handling policy. It seems that the policy itself may turn out to be very simple:

  1. Confidential information may only be collected, stored and processed if a need to do so exists, and if that need cannot be satisfied in any other way.
  2. Confidential information must be destroyed when it is no longer needed.
  3. Confidential information must be handled with due care.
  4. When loss of or unauthorized access to information has been detected,
    or if it is suspected, the Information
    Security Officer
    must be notified and an information security incident
    will be declared.

Is there anything I need to address at the policy-level? Obviously, at the level of the supporting standard, the requirements for due care must be established in more detail, but this seems to mostly cover it.

No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.