Citadel’s Information Security Management Policies and Standards:
- Leadership: Establish management’s commitment to securing critical information assets
- Set the Bar: Establish uniform organizational standards for securing critical information assets
- Management Playbook: Serve as a playbook for managing information security
- IT Security Management: Provide explicit standards for use by IT personnel in securely configuring and maintaining the IT Infrastructure
- Protection Baseline: Provide an information security baseline for establishing adequate privacy protection and protection of intellectual property, trade secrets and other proprietary firm information
- Cultural Adaptation: Support the all-important objective of creating an information security aware and adaptive culture
Citadel’s Information Security Policies are also designed to meet emerging information security frameworks, laws, regulations and contractual requirements for information security policies, including:
- The NIST Cybersecurity Framework
- ISO-27001, 27002
- Payment Card Industry Data Security Standard requiring the protection of card information
- Federal laws, such as HIPAA HITECH and Gramm-Leach-Bliley which require the protection of personal health and financial information
- NIST 800-171 and DFARS
- Center for Internet Security (CIS-20)
- FTC Safe Harbor
- New York State Cybersecurity Requirements for Financial Services Companies
- California Civil Code 1798.81.5
- GDPR
- California CCPA
- Other Compliance Requirements
Citadel’s Information Security Policies and Standards — Deliverables
- A perpetual use, non-exclusive license to Citadel’s Information Security Management Policies and Standards, branded with your name and logo.
- A 2-hour workshop introducing our policies and standards to your senior management and IT teams
- An Action Item To-Do List, documenting things to do to comply with policies and standards
- A concise Information Security Guidelines for distribution to staff
Background Information & Additional Resources
SecureTheVillage: Information Security Policies and Standards
[1] Beyond Information Security Awareness Training: It’s Time to Change the Culture, Information Security Management Handbook, Sixth Edition, edited by Hal Tipton and Micki Krause, Auerbach, 2006.
[2] See An Emerging Information Security Minimum Standard of Due Care, Robert Braun, Esq., Stan Stahl, Ph.D, Handbook of Information Security, Auerbach, 2004. An update was published in the Privacy and Data Security Law Journal, March 2006.