HIC, INC 1

Implementation, Enforcement, and Compliance Plan

Introduction
HIC, Inc. handles, stores, and processes many different types of data which presents
benefits as well as risks to the organization. Managing these risks is the responsibilities of all
personnel. Risk management is best handled by identifying a business operational state which
minimizes risk. Business risk includes handling data subject to regulations, protecting data from
theft or loss of data and associated costs, and protecting our corporate reputation. This plan
describes the implementation of policies, monitoring and reporting on the policies
effectiveness, describing how policies will be enforced, and finally, how compliance with
policies will be measured.

In order to be the most effective, our personnel must understand that these policies are a
priority from our top executives and they will reduce corporate business risks. The Chief
Information Office (CIO), Chief Information Security Office (CISO), and Chief Data Protection
Officer (CDPO) are responsible for maintaining policy, providing support and resources for
implementation and ensuring all personnel understand and follow information security policies.

Monitoring and Reporting

Monitoring and reporting are important to determine if the policies are effective and
successful, whether personnel are following policies, and if policies need to be adjusted.
Monitoring and reporting improves production, can discover violations of security policies,
maintains sensitive data security, improves quality, and avoids liability. The CISO is responsible
for gathering metrics on the success of the information security plan implementation. Metrics
must be reported to the CIO and CEO on, at least, a bi-annual time frame. All employees are
responsible for following information security policies and procedures to ensure business risks
are minimized.

Monitoring of email, Internet usage, and computer software is required. Additionally the use of
baselines will be performed. All security incidents will be performed by the analysis of security
incidents reported to the help desk and CISO offices. For all security incidents, a help desk
incident tracking number must be associated with them to ensure effective reporting.
Additionally the CDPO and CISO must perform random audits, and/or departmental audits to
monitor the organizations security posture and provide additional reporting metrics.

All systems, where possible, must have a baseline created with minimum security standards.
Any systems where the creation of a baseline is not possible must be reported to the CISO and
reviewed annually. Systems will be compared to the baseline quarterly to determine the
current state of a system. Where possible automated mechanisms must be utilized to automate
configuration, deployment, analysis, and reporting of baseline assessments as well as to reduce
costs and complexities.

Communication
The creation and presentation of an information security plan will require organization-
wide communication. Leading practices have shown that successful implementations have
support from the CEO, CIO, and CISO. The CEO, CIO, and CISO should express support during
HIC, INC 2
Implementation, Enforcement, and Compliance Plan
quarterly meetings, or through corporate communications to ensure success. Additionally, it is
recommended that senior leaders work with line managers and supervisors, marketing, and HR
departments to ensure all employees understand the importance of this program in reducing
business risk. It is best to introduce the plan with a corporate announcement during our slower
season.

Finally, continued support and communications should be included in the communication plan.
The CIO and CISO must continue to advocate for the success of the program through email,
posters, and other communication mediums identified by the marketing and human resources
departments. We recommend a quarterly announcement or email distribution to highlight
particular information security policies.

Training
A Security Awareness and Training program is required for program success as well as to
meet regulatory training requirements, such as those for the Health Insurance Portability and
Accountability Act (HIPAA). All employees, contractors, and vendors must participate in an
approved Security Awareness and Training program. To reduce costs, training will be provided
by a qualified vendor through the CISO. The CISO and any managers with direct reports will
work with the HR department to identify the type and style of training required. HR must
ensure that all new employees and contractors must have information security training before
they are provided access to any sensitive data.

Specialize training will be assigned based on the types of data employees work with, however,
all employees are required to take basic information security awareness training at least once a
year. Senior executives must also take training and are encouraged to express their support for
training. Training will be provided in the form of both Computer Based Training (CBT) as well as
instructor led classroom training for specific data handling requirements.

If security incidents are repetitive, then additional training may assigned. In cases where
security incidents continue repeatedly employees may be subject to termination in accordance
with HR policies and contractors may be released.

Compliance
Compliance with laws and regulations related to data will be the responsibility of the
Chief Data Protection Officer and Chief Information Security Officer. The CISO and CDPO must
review technical requirements and work with the legal team to ensure information security
policies are legal and appropriate. Governance committees composed of HR, legal, the CDPO,
and CISO teams must be formed and meet quarterly to discuss policy effectiveness.

All CIO employees and IT staff must follow standards-based approaches wherever possible to
automate tasks and efficiently ensure compliance. Standard based approaches include the use
of various frameworks such as Information Technology Infrastructure Library, Security Content
Automation Protocol, and Simple Network Management Protocol. The CISO and CDPO will work
with managers to determine which frameworks to utilize.
HIC, INC 3
Implementation, Enforcement, and Compliance Plan
References
Bosworth, S., Kabay, M.E., and Whyne, E. (2014). Computer Security Handbook. Hoboken, NJ:
John Wiley & Sons.

Johnson, R. (2015). Security policies and implementation issues. Burlington, MA: Jones &
Bartlett Learning.