A: Security Policies
In today’s connected economy, Information Security continues to be a pressing issue for Executive and IT managers. Articles describing Information Security incidents headline industry trade publications and have also penetrated into the mainstream media.  Threats such as Worms, Viruses, industrial espionage, fraud, and inappropriate use of corporate systems by employees are resulting in enormous financial loss, increased legal liability, and disruptions to business continuity.  Organizations are deploying tactical security solutions such as firewalls, Intrusion Detection/Protection Systems, and 24/7 security monitoring to combat these threats, but often overlook a vital component when developing their Information Security Program. That component is Information Security Policies. Information Security Policies lay the foundation for an effective Information Security Program by defining and enabling managers to enforce corporate security objectives. Policies deliver a framework that provides direction for all security decisions including the technical requirements that dictate where and how to deploy technical security controls as well as identify acceptable use and behavioral guidelines for employees. Without policies, employers have traditionally found it difficult to hold employees liable for inappropriate actions and have exposed these organizations to lawsuits under privacy, sexual harassment, and due diligence liability laws. Policies impose employee responsibility for actions such as downloading, storing, or transmitting viruses, pirated software or offensive/explicit materials. As aforementioned, policies also provide the technical guidelines for securing critical information and systems.

The list below represents several best practice security policies:

                         · Information Classification and Protection     
                         · Physical Security                                              
                         · Information Disclosure                                      
                         · Workstation/Desktop Acceptable Use           
                         · Remote Access                                                
                         · Monitoring and Auditing                                    
                         · Incident Response and Handling     
                         · Employee Privacy
                         · Training and Awareness
                         · Access Control – Network and Systems
                         · Technology Procurement
                         · Vendor/Visitor Access
                         · Disaster Recovery                
                         · Internet and Email Acceptable Use