tag:blogger.com,1999:blog-1572948039764834937.post8093039110842909946..comments2008-07-16T19:20:46.468-07:00John R. Christiansenhttp://www.blogger.com/profile/16592498654125943981noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-1572948039764834937.post-82994030585658452672007-01-31T08:20:00.000-08:002007-01-31T08:20:00.000-08:00This comes under the heading of "think first, post later." As far as the structure of policy is concerned - Eric's point about executive/board level policies being necessary but hard to change and therefore generalized - this is reflected in the Integrated Information Security Standard of Care posted 1/26/07 - see subsection 3(b) in the table. <br /><br />A generalized fiduciary-level policy is an "organizational policy" in this scheme, while this security incident response policy would be an "information security program policy" as provided in subsection 3(c).John R. Christiansenhttp://www.blogger.com/profile/16592498654125943981noreply@blogger.comtag:blogger.com,1999:blog-1572948039764834937.post-23888483743660856682007-01-31T07:38:00.000-08:002007-01-31T07:38:00.000-08:00That's the structure I advocate, myself, and I'll be posting some materials on this. <br /><br />I also agree that the ISO standards are a great resource; they're one of the set that I think ought to be considered and probably often incorporated into an integrated approach to infosec.<br /><br />Probably this particular document shouldn't be called a "policy," strictly speaking, more a relatively high-level "procedures" document. It's actually based more than anything else on an internal services-level agreement I helped a client develop, for coordinating incident response among a number of distributed units.John R. Christiansenhttp://www.blogger.com/profile/16592498654125943981noreply@blogger.comtag:blogger.com,1999:blog-1572948039764834937.post-3672343267369055572007-01-29T15:46:00.000-08:002007-01-29T15:46:00.000-08:00Hi John, I'll be looking forward to a discussion here going forward. <br /><br />May I suggest that you review the ISO 27001 (formerly 17799) standards for Information Security Management Systems. I believe that, although not specifically crafted for healthcare, they are very applicable to healthcare organizations. One of the pitfalls of "typical security & privacy policy" that ISO avoids is the embedding of plans, procedures and standards within policy. <br /><br />Because most policy requires senior executives, or even the Board, to approve, it is not a "living document" in the sense that lower level documents are. An emerging best practice in the area of policy development is to keep policy as general as possible and embed the details in supporting standards and procedures, which are more easily modified as the security landscape changes.Eric Cowperthwaitehttp://www.blogger.com/profile/05537542755148349170noreply@blogger.com