9/13/2005

Information Security Policies and Programs Essentials

"There are four risks that every organization must manage around information use, and the most effective organizations manage all of these risks in a holistic manner. These risks are:

1. Legal Compliance...
2. Reputation...
3. Investment...
4. Reticence...

Balancing these four risks requires tradeoffs to be made...

Both risk management and good corporate citizenship require that organizations develop policies for the appropriate collection and use of personalinformation. Depending on the organization’s business, these polices may include such things as maintaining opt out lists for direct marketing, developing appropriate security for customer financial or medical records, executing proper contracts to authorize international data flows, or publishing an online privacy notice if data is collected over the Internet. Corporate privacy leaders must assist their organizations in thinking about privacy policy development in a formal, objective way, meeting policy
goals as well as preserving business flexibility. Privacy executives must also understand and anticipate future changes both in the regulatory environment and in their companies’ business needs. To achieve these objectives, companies should consider four distinct tasks.

Phase 1. Discover...
Phase 2. Build...
Phase 3. Communicate...
Phase 4. Evolve.."

Read more in this excellent and comprehensive article by Margaret P. Eisenhauer of Hunton & Williams LLP.