Okay, so maybe your organization is not a Covered Entity under HIPAA, or even subject to GLBA.  Even so, there may be compelling reasons to have a written information security program.  You may have personal information of a Massachusetts resident and therefore be subject to the new Massachusetts data privacy regulations.  Or, perhaps, you are now covered under the new Business Associates rule of the HITECH amendments under HIPAA.  Or, just maybe, you care enough about protecting the personal information of your employees and customers to be proactively protecting the data that you control.

For whatever reason, management has committed to getting your organization’s data security house in order (and assigned the task to you).  What next?

The prospect of developing an information security program can be daunting.

Over the next few days, I will describe my approach to the task.  By way of a quick preview, I divide this compliance nightmare into four modules:

(1) Data Flow Assessment and Drafting of the Written Information Security Program (WISP);

(2) Implementation of the WISP and Employee compliance training;

(3) Ongoing monitoring, review and amendment of the WISP; and

(4) Vendor relationship management under the WISP.

Each of these modules has multiple tasks  or phases (as I call them).

In my next post on this topic, I will detail my approach to Module 1.

Stay tuned.

Popularity: 27% [?]

Related posts:

1. Developing a written information security program – Module 1 Data Flow Assessment and Drafting of the Written Information Security Program The...
2. Developing a written information security program – Module 2 Implementation of the WISP and Employee compliance training: In the last...
3. Ernst and Young Survey: Data protection, information security are firms’ top priorities Data protection and information security risk management are top priorities for companies...
4. NE: Security breach compromises information on 1,400 students A security breach discovered last month at the University of Nebraska involved...
5. European Network and Information Security Agency (ENISA) Issues Cloud Computing Guidance The European Network and Information Security Agency (ENISA) has just published a...
6. MA: State’s error unveiled Social Security numbers and other information about 139k investment advisors The Massachusetts secretary of state’s office, which is charged with enforcing financial...