security
TRANSCRIPT
Healthcare technology solutions are available through the PC Connection, Inc. family of companies. Call today. 1.800.395.8685
Small to Medium Acute or Ambulatory Facilitieswww.pcconnection.com/healthcare
Government Owned and Academic Hospitalswww.govconnection.com/healthcare
Large and Acute Care Centers and IDNswww.moredirect.com/healthcare
©2015 PC Connection, Inc. All rights reserved. PC Connection, GovConnection, and MoreDirect are registered trademarks of PC Connection, Inc. or its subsidiaries. All copyrights and trademarks remain the property of their respective owners. #178640 0615
Top Four Essentials for Your Security Policy
In an era when security threats morph daily and compliance regulations get more complex every year, creating a solid and up-to-date security program is crucial. A good security program must cover your organization end-to-end and line up with your company’s risk management strategy, and provide all the necessary standards, guidelines, and policies to enforce the program. It must also be flexible enough to incorporate ongoing revisions and updates. And it must be enforceable—otherwise, it’s just an object of employee derision and a waste of time. Below are four critical attributes of a credible policy.
Don’t Expose Your Organization to Unnecessary RisksWRITTEN BY STEPHEN NARDONE
1. Create an end-to-end policy (don’t just talk about it).Research shows that business executives and IT managers alike believe the coordination of a security program across
the organization’s entire data network is essential. Nevertheless, many organizations neglect to include their
whole range of data assets when setting a program and developing policies. End-to-end security means protecting
data from its point of origin, through all points of transit, to its resting point in storage. You need to examine these
points for all of your data, whether they lie on your own servers or in a cloud, and set up measures to address any
potential security gaps. Encryption, authentication, authorization, and other means of access control should all be
included in the policies and spelled out for every type of data. Include information about penalties for violations,
such as revocation of credentials and denial of access, so users can see that the program has merit.
2. Coordinate with risk assessment.Before you finalize your program, go over your organization’s risk assessment documentation to make sure it
covers all relevant potential hazards identified, including special risk circumstances and industry-specific compliance
regulations. No two organizations are exactly alike, and while it may be tempting to cut and paste a generic policy
from the internet, as many organizations do, you are doing your own organization a disservice unless you address
your specific risks.
3. Build in a plan for updates and revisions.Once you have a security program in place, review it regularly to make sure it still meets your needs. The IT department
should keep up with current trends, monitoring news and comparing its own program with competitors’ to make
sure that new threats are addressed. Whenever your organization expands its operations, a review should be done,
both to make sure the current program is up-to-date and to account for any new wrinkles the new business line
may introduce.
4. Make it enforceable.A security program is useless unless all of its provisions can be enforced. Employees will notice unenforceable
requirements and become frustrated and less trustful of the entire program. You can use a variety of security
compliance tools that formulate policy requirements into a database and monitor compliance across networks, fixing
vulnerabilities as they occur. These systems need to be coordinated with anti-virus software, firewalls, and other
security programs already in place.
About the Author:
Stephen Nardone is Director of Security Solutions and Services at PC Connection, Inc. with over 34 years of experience in both the government side and the commercial side of the security business. Discover more of Nardone’s insights on our official blog, Connected, at www.pcconnection.com/NardoneBlog