How to write an information security policy |
| > |
QUESTION:
I've been assigned to write an enterprise security standard. Where do I start, what is the procedure, and what are some common mistakes?
|
|
|
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.co.UK
ANSWERED October 2009:
I assume that you mean how to write a security policy. One of the key controls in ISO 27001, a technology-neutral information security standard, is having an organisational security policy endorsed by senior management. In my experience, if you want to get senior management to sign something that the whole organisation can see, it's best to keep it short! It should cover the organisation's commitment to security, including who is responsible for infosec tasks. The policy should also provide a pointer to more detailed documentation and guidance, and cover the key security requirements that the organisation is going to meet, like the Data Protection Act, for example.
Beyond that, policy documentation is very specific to the organisation. I do not believe that one set of documentation fits all organisations, but the security policies and procedures need to fit the organisation's culture if they are going to have any effect.
However you decide to frame the security policy, here are key questions that you need to consider:
- What are your security objectives, and how do you measure them?
- What types of information do you handle, and how do the different types of information need to be protected?
- How do you assess risks and select security controls?
- How do you manage and report incidents, and learn from them?
- Who is responsible for security?
- What is acceptable employee use for Internet, email and other communication channels?
|
|
|
|
|
|
|
|
Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and
answer pairs from more than 250 TechTarget industry experts.
|
|
|
|
|
|
|
|
|
|
|
|
