How Many Information Security Policies Do I Need?

10 pts.
Tags:
ISO 17799
Network security
Network Security Policies
SAS
SAS 70
Security Program Management
I need some advice from other security experts. I was recently hired to work for a small company where our data and infrastructure is at a managed hosting facility. The hosting service has a SAS 70 that is regularly audited.  My company in the past relied – almost solely – on the managed service security plans and controls. However, I am wondering if that is truly enough or if we need to develop our own security plans and policies for that infrastructure and data or continually reference the hosting company’s documents?

Answer Wiki

Thanks. We'll let you know when a new response is added.

I did SAS70 Level 1 and just to let you know that SAS 70 will be changing to another name very soon.

You will need just 1 ISP and the rest can be stand alone Policy and Procedures.

For SAS70 there will be a need to constantly review your plans and controls every quarterly or half a year and you will be good.

Discuss This Question: 1  Reply

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Ntsandy
    Unless you have a ironclad contract in place that has acceptable SLAs in place I would make sure that I had IR and DR plans in place. You also need to have plans in place that will guide your company in the event of an issue even if the hosting provider is handling everything else. How will you continue business during their recovery period? As for policies it depends on several factors. What industry you are in. What type of business you conduct over the internet. How you interact w/ customers. Is your web site info only or e-commerce. What regulations you are subject to. etc.... As for the SAS70 it is basically useless as a security measure. The hosting provider defines what is measured so it's pretty hard to not pass.
    10 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following