1051 NW 14th St., Suite 165
(UM mail routing R-26)
Miami, FL 33136

Receptionist: 305-243-6475
Hours: 830am - 500pm, M-F

Help Desk: 305-243-5999
Hours: 24/7

General fax: 305-243-6417
Admin. fax: 305-243-2622

Rust (1963). Electron micrograph of an oxide scale, sometimes called rust, on a single crystal of iron. Source: General Motors and Nationl Museum of American History.

Related content

Privacy and security policies

Objective • Data privacy/security policies should provide management direction and support for data protection, in accordance with the norms of professional ethics, business requirements and all relevant laws, regulations and private certificatory requirements.

Scope • The organization’s data privacy/security policies, taken as a whole, should provide clear controls for all data collected, used or stored in the organization’s data processing, communications, and storage systems, as well as for data collected, used or stored in the systems of external parties under contract with the organization.

Approval • Data privacy/security policies should be formally approved by appropriate organizational authorities.

Documentation • Data privacy/security policies should be fully documented in designated organizational document repositories. Policy documentation could include:

overall objectives and scope, including statements of management intent, supporting goals and principles;
listing of identified authorities (statutory, regulatory, private) and requirements that condition or control data protection activities, including an explanation or listing of policies, principles, standards and compliance requirements relevant to the organization;
framework for setting policy objectives and components of the policies themselves, including a structure for risk assessment and risk management;
definitions of general and specific responsibilities for the organization’s data security management;
references to additional documentation that supports or underpins the policies; and
formal historical record of material changes to the policies and any accompanying approvals.

Communication, training and awareness • Data privacy/security policies should be communicated to all relevant affiliates of an organization, as well as relevant external parties, via an appropriate training and awareness program.

Periodic review • Data privacy/security policies should be reviewed at planned intervals, and when significant changes in the external environment occur, to ensure their continued suitability, adequacy and effectiveness. Review steps could include:

solicitation and integration of feedback from all interested parties inside and outside the organization;
independent contracted external reviews;
checklists of recommendations and requirements of relevant authorities;
consideration of trends in threat types and threat capabilities, system vulnerabilities, and available technologies for counter-measures and mitigation;
consideration of trends in compliance requirements of federal, state, local and private certificatory authorities;
consideration of trends in and anticipated changes to the organizational environment, business circumstances, and resource availability;
historical data on information security incidents at the organization itself and at peer institutions; and
formal historical record of the reviews undertaken as part of policy development and refinement, and their outcomes.

Coordination with other policies • Review of data privacy/security policies should include consideration of other relevant organizational policies, to minimize inconsistencies and gaps. This could include:

identification of all other relevant policies; and
inclusion of the representatives from the areas responsible for such policies in the periodic review of information security policy.

SOURCES: ISO-27001/27002:2005, sects. 5.1.1 – 5.1.2.