Written Information Security Program for Businesses | Joshua Johnson | Skillshare

Written Information Security Program for Businesses

Joshua Johnson, Information Security

Written Information Security Program for Businesses

Joshua Johnson, Information Security

Play Speed
  • 0.5x
  • 1x (Normal)
  • 1.25x
  • 1.5x
  • 2x
8 Lessons (37m)
    • 1. Introduction

    • 2. Purpose

    • 3. Information Security Coordinator

    • 4. Risk Assessment

    • 5. Policies and Procedures

    • 6. Safeguards

    • 7. Oversight and Enforcement

    • 8. Complete Drafting Exercise

  • --
  • Beginner level
  • Intermediate level
  • Advanced level
  • All levels
  • Beg/Int level
  • Int/Adv level

Community Generated

The level is determined by a majority opinion of students who have reviewed this class. The teacher's recommendation is shown until at least 5 student responses are collected.





About This Class

Businesses need the proper policies and programs in place to protect data from getting into the wrong hands. This course is a guide to developing and drafting a Written Information Security Program. It is applicable to businesses of all sizes. The course begins with short video summaries of the sections of a Written Information Security program including: defining the scope, establishing a security coordinator, risk assessment, policies, safeguards, and enforcement of the program. Lastly, the final exercise is a screen cast explanation of an actual Written Information Security Program.

Meet Your Teacher

Teacher Profile Image

Joshua Johnson

Information Security


I have been a software engineer for nearly a decade with experience in mobile, web development, and hardware design. I invented the first Android and iOS Agricultural navigation system to help farmers prevent overlap and gaps in chemical application. I am also a licensed attorney in the State of Georgia practicing in the field of information security law, privacy, and data governance. All content on this site is for educational purposes only.

See full profile

Class Ratings

Expectations Met?
  • Exceeded!
  • Yes
  • Somewhat
  • Not really
Reviews Archive

In October 2018, we updated our review system to improve the way we collect feedback. Below are the reviews written before that update.

Your creative journey starts here.

  • Unlimited access to every class
  • Supportive online creative community
  • Learn offline with Skillshare’s app

Why Join Skillshare?

Take award-winning Skillshare Original Classes

Each class has short lessons, hands-on projects

Your membership supports Skillshare teachers

Learn From Anywhere

Take classes on the go with the Skillshare app. Stream or download to watch on the plane, the subway, or wherever you learn best.



1. Introduction: hello and welcome to this course on drafting and developing a written information security program for businesses. My name is Josh Johnson. I've been a software engineer for going on about nine years now, and I'm also an attorney practising and field up information security law. What exactly does this course entail? Well, we're gonna talk about how to develop and draft written information security program that's suitable for businesses of just about every size. We're gonna go section by section, do a written information security program. First of all, we're gonna divide written information security program up in the different sections. These sections were defining the purpose of the written information security program. We're gonna talk about establishing, appointing an information security coordinator. We're gonna talk about risk assessment policies and procedures, related information, security safeguards we have at the network and physical level in the organisation. We're gonna talk about the oversight of third parties and service providers. We're also gonna talk about how to enforce this document and what needs to be included in this document in terms of discipline and other things. To make sure that this written information security program is followed by everyone in your organization. And finally, in the conclusion we're gonna talk about other documents that this relates Teoh, including a cyber response plan and some other things your organization may want to implement to supplement the written information security program. All right, I'm not talk much more about this. That's good. Get started. Our next section is defining and drafting the purpose of the written information security program. 2. Purpose: welcome back to this course on developing and drafting a written information security program. Right now, we're gonna talk about the purpose and scope of this document. This needs to be included in documents so that employees are officers of the business will be able to quickly tell what the purpose of this document ISS. First of all, we want to know that we want to ensure the security of data. That is probably the number one purpose of this written information security program. Next, we want to protect against any anticipated threats we want to protect against the unauthorized use or access of the data that we're control up. And then we also need to spell out the differences in our organization such as the side and scope, the available resource is, and the type of industry that were in their different laws tailored to the industry that you're in. So you need to be aware of those and include those in the written information security program. First of all, what is the scope of this document? Well, we want to make sure that we define that it includes all employees, contractors, officers, directors of the company, basically anyone that might have access or connection to any of the data that we do not want to have leaked or lose. Next in Scope section. We want to define what we mean by personal information and also sensitive information and also any other classifications of data that you want to make. It is important that we find personal information. Information. Security is often like a puzzle. You have pieces scattered everywhere, but if you put the right pieces together, you could get the right information together to steal someone's identity, that kind of thing. So what at an organization left we need to do is defy what information that you want to protect, and also what pieces of information make out that larger piece of information that way that you can keep all the peace individual pieces secure so that the pieces can be put together into the puzzle. That is the information that you do not want to leave their stolen from the organization. So you need to define what exactly is personal information and also how you're organization . You sensitive information sensitive information is defined as information. Is holly confidential or access or disclosed by unauthorized parties, Could cause significant harm to the company. So again, in these two sections under scope, just make sure you're considering but data as a whole, and then what can be pieced together with smaller visit data leaking here and there. 3. Information Security Coordinator: and this video will be using the term information security coordinator. But this role can be applied to the chief information officer, Chief compliance officer. Basically, the roles in this document need to be appointed to someone. There needs to be a point man on this to make sure that the policies of the written information security program are divorced. First of all, the jobs of an information security coordinator include assessing internal and external risks to information coordinating development, distribution and maintenance of information security policies and procedures. Coordinating design of reasonable and appropriate administrative technical physical safeguards that protect the data. Ensuring that the safeguards are implemented and maintained to protect personal informations about the company overseeing service providers of access and maintain personal data. Monitoring and testing the information security programs. Implementation, effectiveness. The finding. Defining and managing incident response procedures. Establishing and maintaining enforcement policies. This seems like a lot information. In regards of the Information Security Coordinator, you'll see a lot of this highlighted and are drafting document that you can see that comes with this course kind of outlines everything I just said so that you can go through each one of these sections and kind of customized and design on your own 4. Risk Assessment: Now we're gonna discuss risk assessment. Well, that's part of developing implementing this program. There needs to be periodic risk assessment. We need to see what our vulnerabilities are and what potential in a vulnerable when you see what potential vulnerabilities are out there that could potentially impact the smooth operations of our business. We need Teoh identify reasonably foreseeable internal and external risks assess the likelihood of potential damage that could result from such risks. Have I just sufficiency of relevant policy? So we need to put majors in place to see just to test how good our methods are. Also, what we need to do is follow up on these risk assessment is one thing to just test our methods, but we actually need to follow up and see how well they were. So after each risk assessment, we need to design, implement and maintain reasonable and appropriate safeguards, minimize identified risks reasonably and appropriately, addressed any identified gaps. If we see giant holes or even little holes in our program, we need to correct us, and we need to finally regularly monitor the effectiveness of the safeguards that we have in place 5. Policies and Procedures : next, I want to highlight the information security policies and procedures section of our written information security program. First of all, with this program, we need to develop, maintain and distribute information security policies and procedures in accordance with all the applicable walls standards relevant to our business. First of all, when you establish policies regarding the classification of information handling practices for sensitive personal information and any other data that your company may be involved with, we need Teoh establish what user access management system we're using, including identification authentication of users. We need to discuss our policies on encryption, computer network security, physical security, incident reporting and response, and also employee and contractor used our on premises and purposes technology. Also, we need to detail the implementation and maintenance of the network physical safeguards that we have in our business. 6. Safeguards: Let's talk about the safeguards section of our run in information security program. Personal safeguards will develop, implement and maintain reasonable administrative, technical and physical safeguards in accordance with applicable laws and standards, protected security, confidentiality, integrity and availability of personal information. First of all, we need to document administrative technical in physical safeguards that we have in place. At a minimum, we need Teoh Designate one or more employees to coordinate this program, identify the foreseeable internal and external risks store company we need to train employees and security program and practices. We need to select service providers that are capable of maintaining appropriate safeguards when they interact with our information. And then we also need to make sure that we have the right safeguards in place. For more a technical perspective, we need secure user authentication protocols, including controlling user identification and authentication with secure methods. Good passwords. We need to restrain access to users that are terminated or that might pose a threat to the business. We need to have secure access control measures, including restricting access to records and files on Lee. Those personnel that need toe have access to this documents we need to restrict access to records of files containing personal information on Lee. Those that need it, we need to assign each individual with network or computer identifiers so that we can tell who's accessing what parts of the network and what data we need to look at the proper encryption of all personal information. Traveling across the network. We need to look at encryption of all other information stored on mobile devices, things that could be easily move from the premises. We need to look at reasonable system monitoring so that we can keep an eye on what's actually going on in a network. We need to make sure that we have reasonably sufficient firewalls in place of software updated. We need to maintain current of software for virus protection, that sort of thing. And also we need to look at the physical safeguards in place in our building, such as doors that are easy toe, maybe the server room or access Teoh employees, computers, those kind of things at a physical level, awesome need to be looked at. Um, they're all kind of videos out there about getting in the buildings easily and attacking people's networks. I mean, some people will wear a fake. Some people pretend to be working on that elevator. There's all kinds of ways people can get into bed, so you need to look at those physical means of access as much as you do. The cyber means access. 7. Oversight and Enforcement: in this section, we're gonna talk about monitoring third parties and service providers. If we haven't written information security program, that's great. But a lot of times the data that we want to protect is going to be accessed by third parties. We need to make sure that these third parties and service providers are following the procedures and the written information security program. So whether this is my contract, by understanding whatever you need to do to make sure that third parties that third parties who access the data that we're trying to control, follow this written information security program. Lastly, let's talk about enforcement now written information security program is no good. And last, the officers, employees of the business follow it. We need to talk about the disciplinary actions that we used. If there are breaches or if an employee or officer is found to not be following written information security program, there need to be consequences and they need to be drafted. This documents that there's consistency so that their information security program is respected. To close this course, I want to mention that there are other documents involved with the written information security programs such as a cyber incident response. Each one of these sections can have their own governing document. The key is that you think about each one of these sections on development. Clear written plan for them. This seems like a lot of information. And perhaps I was reading path at some points. I'm gonna put a sample written information security program up here for this course for you to look at, and then you go three section by section and kind of modify the words that I've used accordingly. 8. Complete Drafting Exercise: Hello. And welcome back to this course on developing and drafting a written information security program. At this point, we're now ready for our course exercise. Essentially, we're gonna go through an entire written information security program document section by section and kind of discuss the different parts of the document. This is all gonna connect back to the video sections that were previously watched and kind of the information that's included in each one of those sections. All right, first of all, you got to see a bunch of brackets here at the beginning, And this guy, you're going to see where it says list additional applicable walls and obligations in this particular section, you're gonna want to list any other applicability laws of your jurisdiction. You see, the Massachusetts Data Security Regulation? Well, that one applies to just about every single one of these, because anything online, the interacts of anyone in the state of Massachusetts, they get on a computer, that sort of thing, and access your website. Um, there'll always going to apply? So that's one to start out with. Now your specific state or jurisdiction may have additional regulations regarding the particular industry here, so you're gonna wanna list those and put this kind of things in the beginning of this document. The section of the document describes the purpose of the written information sharing program. This is good because it helps get employees and officers on board and understanding more quickly of the scope and necessity of this document. Here we have a ensure the security, confidentiality, integrity and availability of personal information that your business collects, creates, uses and maintains protect against any anticipated threats or hazards is security, confidentiality, integrity and availability of such information. Protect against unauthorized access. Define an information security program That is appropriate. Teoh your particular business. Make sure you understand a, B, C and D and how they apply to your organization. Next, we're gonna move down to the scope section. Now we're gonna fill in basically everyone that this document applies to by default. You see employees, contractors, officers, directors, basically anyone that you want this West fly Teoh. Now, later on, there's a section on third parties and service providers in this particular section. We're just kind of talking about the people that the list governs directly. So anybody working for the company, uh, any contractors or temporary employees, directors, anybody, an organization that you want included. Make sure you spell out the exact scope of who you want this wisp to cover next. We're looking at kind of just a general definition of personal information we were talking about earlier. And when the earlier videos is kind of the puzzle model of information security, a lot of times metadata or just little tiny pieces of data here and there, when by themselves don't mean much. But when you put them together, eventually you have enough information to either steal someone's identity or get away with a piece of information that you don't want the whole world to know about. In this particular case, were to find any personal information and also data elements that could collectively put together could cost, um, problems. So here we have So security numbers, driver's license, this passport numbers, debit card numbers, anything that you put together that could collectively be used against somebody. You see all this in the personal information section, we can scroll down a little bit, and then we can define exactly what sensitive information is now for your organization that both the personal information sensitive information is gonna be define. However you decide to do that, you're gonna need to think about what Daddy organization has. And then you're gonna need to think about dividing that data into smaller components that you have on hand. You know, you have a mongo database. Um, you might have lots and lots of different fields. You might prioritize some of those fields over others. So in this particular section, you needed to find what is important to your organization and also think about in advance what could be put together and could potentially harmful if those pieces are put out there and the public it's put together. So at this particular point here, we have sensitive information defined as highly confidential information. If accessed by or disclosed to, unauthorized parties could cause significant or material harm Teoh organization. Again, just be thinking about the smaller pieces of the puzzle that make the larger puzzle. Next section, we have the Information Security Coordinator in this particular section. What we're gonna do is establish and define the roles of the information security coordinator. First of all, you need to pick somebody for this role, whether it's your chief information officer plants officer or somebody working for them. The important thing about Information Security coordinator is that I've often heard that they need to have a title with the see in front of it and that they can easily get to here CEO, your chief information officer, somebody rather quickly up the chain of command that basically ever said that your information security coordinator needs to be able to work with a CEO or someone else senior in your organization, so that Information Security Coordinator can freely speak to them and discuss issues that are going on in the corporation. A lot of times, network security and a lot of these policies are managed way down low in the company, and important things never make their way up to the top where they need to be. We're with the people that these decisions need to be consulted with. So make sure when you define your information security coordinator that somebody of high enough that has a year of CEO uh, chief information officer, compliance officer, something like that. All right, so now we kind of define some of the things that an information security coordinator is charged with assessing internal and external risks. Coordinating development of the policies, coordinating the design of reasonable and appropriate administrative safeguards and sharing the safeguards are implemented. Maintained. Protect personal information. Overseeing service providers. Monitoring and testing information. Security programs. Defining and managing incident response procedures. Establishing and managing enforcement policies. Training for employees, contractors and other stakeholders Providing periodic training. Now this is something that seems obvious and as important. But a lot of times this doesn't happen, and it doesn't happen with regularity. People are often subject to have it. For example, they tend to reuse the same password over and over again, even though you've showed them how to use the password manager. This is why it's important to have periodic training to keep people always alert and on guard for potential threats. Not only this, a lot of times training would be provided, but there's no logs of when and how often it occurs. And then, at that point you thought, well, did we do this this year that we do that last month and then it gets pushed down the road? It might be a couple of years before training happens again to make sure that the information security coordinator is keeping good logs of when the training events occurred again, I cannot over emphasize importance of retaining training and acknowledgement records of training sessions that you've done. The Information Security Coordinator also needs to review this wist He has to go through it and see exactly what the information Security Coordinator is tasked with. This is kind of like a job description for the Information Security coordinator, and it is really important that they continue to look at this document. Make sure they're not missing any important roles that they have in the organization. Defining and managing an exceptions processor view, approve or deny document monitor periodically that reassess any necessary inappropriate, business driven press for deviations. Okay, at times, your west may not fit exactly perfectly. You're gonna need to make some alterations. You're gonna need Teoh do some things. Maybe you need to work with another service provider that I can't follow things exactly the way you wanted to be followed. So, um, it's another role the information security coordinator to kind of determine how much we can deviate from this document and also maybe included other safeguards or create new safeguards for that exception to the written information security program and that concludes our review on a section of the defining in establishing the Information Security Coordinator. Next, we're gonna talk about risk assessment. All right, Now, again, this is something that needs to happen with some regularity. Basically, you want to get your teams together, and you want to determine what risks are out there internally and externally, to the security, confidentiality, integrity or availability of any Elektronik paper of the record containing personal information or whatever data that you want to protect. You want to make sure that you are meeting regularly to see what risks are to this information ways the information could be leaked way somebody could get in and get the information. Basically, you need. That's pretty often because, as we know, Tex changing fast and so are in a malicious ways people can get into your information, so you need to keep up on this and meet very often to do those risk assessments. Now, beside assessing the likelihood that something could happen, you're gonna want to evaluate to see efficiencies of your policies. So whatever control systems you have whatever ways you have Teoh protect against Ah, that a loss. You need to see if they actually work. And that's part of risk. Assessment is testing whether or not you know, your scheme works and you need to do that before it actually breaks, or you find out that or you actually lose data and realize that your plan didn't work in the first place. So you need to put measures and means in there. Teoh test whether or not your risk assessment is viable all right, following each risk assessment. And J. P. Johnson, we'll see Will here. Your business will do what design implement, Maintain reasonable and appropriate safeguards. Okay, so basically, you want to respond to your risk assessment. You want to create your policies. You want to create your safeguards. Basically, you want to design. It will maintain reasonable, appropriate safeguards to minimize the risks that you discovered. Um, and then you also want to address any gaps and also monitor the effectiveness of your safeguards. So again, risk assessment testing, more risk assessment, more testing on the cycle doesn't end. It will never end. Next, we're gonna move up to the Information Security Policies and Procedures section. Here is your going to basically write down all of the other policies that you're gonna have that's connected to this written information security program. You're not gonna put all these directly in the program, but you're gonna reference them. So let's talk about information, classifications, information handling practices. He's their access management, encryption, computer, network security. All of these things are very technical. And you're gonna wanna have somebody that understand. These understands these systems to create individual policies for you in regard to each one of these sections. You know, what information do you need to have encrypted? What physical security methods do you need? You need to have a way that somebody can't tamper with your door, handles just basic things like that and then referred to from the written information security program. Basically, the written information security program just tells you that this document exists and that it needs to be referred Teoh in regard to whatever it is. It's a physical security or encryption network security. Whatever it is, you need to have this documents in place in addition to the written information security program. Now the ones listed here, or just the basic general ones that apply to just about every business. So at minimum you're gonna want to have policies. And regarding encryption, this is encryption physical security incident reporting response. These things you're gonna wanna have as separate policies reference from this document. This is another common one employee and contractor using technology, people coming on site, acceptable used. And bring your own device. Toe work. You know, employees have smart friends too. Laptops, whatever it is, are they gonna be connected to your network? You need to have policies in place to address these issues, too. Next section safeguards. Well, what are the administrative, technical, physical safeguards that you're gonna have to protect your data. Now, this is something that needs to be appropriate to the size and scope in the industry you're in, or even the amount of personal data that you have, where it is's in a cloud. You have 25 servers in the back room. Uh, here we need to just define of the safeguards that we want to use again. This is kind of like the last section where we talked about this is kind of like the last section we talked about the security policies. A lot of these are gonna be defined here, but they're going to reference other documents, other departments. But basically, the written information security program defines what we're gonna have and who were gonna contact about it. Let's list a few administrative safeguards designating someone to be in charge of the Information Security Program Coordinator identifying reasonably perceivable internal and external risks. Well, that news that happen, we need to train employees. Well, that needs that. Have a need to have somebody in charge of that. It is not the firmest security coordinator. We need somebody to select service providers that are capable of maintaining purpose safeguards. Basically, have somebody come on site or years and somebody else. Teoh for some service, we need to make sure that they're gonna, you know, take care of the data. Like we would want her dad taking care of adjusting in the case of a new circumstances. In light of business changes here on a new site. New clients, you know, new product line. These things need to be considered all the time as possible. Safe cards. Technical safeguards should include the maintenance of a security system, you know, user authentication protocols. These are kind of just the basic ones that you know, every organization used to have controlling user identification. Authentication. Are you Zanele dab? What system are you using? Teoh control users on your network. And not only that. Access to the building, different parts of the building. These things need to be considered ass safeguards to your data. Do you restrict access, Teoh? Certain users. Basically, we don't want everyone to be an admin. We don't want everyone have information that's not necessary. Do we take care of terminated employees that we cut off their access to information? Do we block users? This is kind of like the whole failed a band system with a cloud based server. You know, if there are multiple unsuccessful attempts to log in to leave, you know, limit access for a time just in case it's somebody else trying to get in. Other than a legitimate user, a lot of times you're gonna wanna have unique identifier so you can whose fault it is when something happened. A lot of that involves forensics and in the end, being able to attribute an attack or leak to somebody so that you can correct in the future through whether it's training or discipline. Whatever the case may be, unique identifiers. User access systems exceeded the user. Access control is very important. Uh, you're gonna wanna have reasonable systems for monitoring, preventing detecting, whether it's network intrusion changes lever. It is. I don't If you have a packet sniffer, whatever you're going to use, monitor your systems. You need to do that. Not only do you need a monitor, not only do you need to have a system, you know, recording what's going on, but you need to be able Teoh would be alerted to when these things happen. You can have all the logs in the world. But if you have no way of alerting yourself when something or someone unauthorised using something or what not, it's not going to have a lot of good. So remember that have reasonable system monitoring, uh, current firewalls, current firewall protection software patches, do your security updates. Uh, now, some of these seem like, you know, just well, yeah, these were just things that ought to be done, but a lot of times they get skipped over, especially if you have a business that has no one with any technical understanding. They don't realize the importance of some of these things. That's why we need to spell them out and written information security program To make it clear that these things need to happen. We need to happen regularly. Uh, physical safeguards, Harry. Want to talk about, you know, ways, Teoh. Keep people out of physical access to certain areas. Locked facilities, doors, good lox, riel locks, the door frames air fine. And also, uh, kind of talk about the disposal or destruction of information that's no longer needed but needs to be secured. This next section is, ah, service provider oversight. I'm not gonna talk a whole lot about it, but you're West needs to address the third parties that interact with your information and data. Make sure that they're abiding by particular policies are abiding by the list or a several policy for the service provider because it doesn't matter if you leak a daily, get the information leak. So you need to make sure that your service provider could be trusted and they're using the same means and methods at a minimum that you're using in regards to encryption and what other data government governor and its rules that you have for your organization monitoring Well, do you need to regularly test the monitor the implementation and effectiveness of this program? So some of this feedback driven things keep an eye on it, continually test whether or not your program works. Make changes. Us. Necessary incident response that we didn't make a video about this. But you need to have a policy in place for what happens when you know things go bad, your organization gets hacked and employees ah, leaves the briefcase somewhere full of important client information. Whatever the case is, you need to have a plan already in place. And you know, this can discuss other things to such as whether or not you have an insurance policy on hand, um, or whether the data was already encrypted in the first place so that that loss briefcase isn't has bad of a big of a deal, as it would have been had the information that have been encrypted. So you need to have an incident response coming up. We'll have a video on cyber incident response plans, but for now, that's kind of what the section governs enforcement. Well, you need a reference HR policies that you have that help keep the whisper alive. Basically, if an employee or officer breaks something as part of one of your policies, you need to make sure that there's discipline and it's you need to make sure that there's a disciplinary process. And that's consistent so that this written information security program is respected and obeyed. Essentially, if you don't have people following it, it's not gonna do you any good. Lastly, we need to review the measures. Just kind of a reminder that again you do a risk assessment, you test review Risk assessment test review again. This is a cycle that shouldn't. And so 11 this kind of just a reminder that lastly, have an effective date. When you want this to go, you can even put your revision history here. These are the most common things that you want to have in a written information security program, your written information security program. He find something else online might have more, or you might actually integrate some of the other policies, such as the incident, such as an incidence response into this document. Now, this document just a template. Your actual written information security program should probably be prepared by both an attorney and information technology professional. Now this documents just a template for educational purposes. Your actual written information security program could have a lot more in it. You could actually put the policies that we referred to embed them in this document instead of referencing them that way. They're all in one place. But it's important that you have one of these documents and that you consider, at least at the minimum, the topics covered in this written information security program. I might be missing something. There's probably a lot more that you could put in your document that applies to your industry and your particular line of work. So keep those things in mind. If you've got any questions, feel free to send me an email. It is JJ at JJ lol dot io Again. JJ JJ walled on io where you can visit my website J j law dot io again this JJ law dot io Thank you. I hope you enjoy this course. There will be some more horses coming up soon, especially looking forward to our cyber incidents response plan. Of course, coming up here soon, so keep those things in mind. Thank you. and appreciate you sticking it out to the end of the scores. Good. Like drafting your written information security program.