I couldn’t come up with a topic idea for this week’s post, so I just checked what Google had to say when when I entered “information security” in the search.  Through a series of sub searches, I came across the topic of Information Security Policy Definitions, which is basically a company’s rules dictating how to keep information safe.  This made me think about all the different levels of information that need to be addressed when a company designs a program.  I’m talking about information that is outside of the technology sphere.  

First, there are the rules about what employees can say over the phone, and this is going to change according to who the caller is.  For some callers, a whole series of account security questions needs to be asked, and for others, information can be release just by verifying the name.  In some situations, no information can be given at all.  

Second, there is the security of physical information.  This includes paperwork that is no longer required and thrown away.  Does it need to be placed in a secure recycle bin?  Who has access to the bin, and how often is it emptied?  Can it be shredded, or does it need to be burned?  Then there are the documents a company needs to keep for a designated period of time.  Decisions need to be made regarding how long it is kept, where it is kept (what kind of facility), and who has access to it.  

Third is the security of digital information and networks.  I;m not going to go into detail on this section this week because I will have more to say about it on a later post.  This post is dedicated to the different kinds of security that need to be managed and protected.  

When planning an information security program, there a a lot of different factors that need to be taken into consideration at all levels of the organization.  It’s something employees need to learn and practice, and it’s something that needs to be constantly reviewed and updated as needed.