Information Security Handbook
上QQ阅读APP看书,第一时间看更新

Policies

A policy is a foundational aspect to the development of a strong information security program. When developing a policy, you should ensure that you follow a few key principles:

  • Receive board-level / CEO approval and support:
    • Without CEO or board-level backing, a security program is doomed to fail
  • You should only create a policy that you intend to follow:
    • This means do not create a policy for the sake of the documentation. A policy that sits on the shelf and is never used does not help anyone.
    • Policies that you don't follow will be used by an auditor to show that you are deficient:
      • If you have policies follow them.
  • Ensure your policies are implementable:
    • There are many ways that a security standard can be met, and your policies should reflect the way that your organization wants to implement a standard
    • Do not describe four points in a policy if you intend to only implement two of them if those two provide adequate risk mitigation
  • A policy needs to take into account the organization's appetite for accepting risk:
    • Consider the value of the information that your organization owns.
    • Consider what would happen to the organization if you lost control over the confidentiality, integrity, and/or availability of the information:
      • Are you trying to safeguard trade secrets or sensitive proprietary information (confidentiality)?
      • Does information need to be accurate at all times (integrity)?
      • Could the organization effectively operate without its information (availability)?
    • Answers to questions like these, combined with an understanding of you organizations risk appetite, will inform your policy development.