1. We discussed the need for policies, standards, and procedures, and that information security is part of the overall enterprise policy structure. 2. There are a growing number of laws, regulations, and requirements being established that require management to show that it is practicing due diligence. 3. There are at least 12 Tier 1 policies that each and every organization must address including: 3.1 Employment practices 3.2 Employee standards of conduct 3.3 Conflict of interest 3.4 Performance management 3.5 Employee discipline 3.6 Information security 3.7 Corporate communications 3.8 Procurement and contracts 3.9 Records management 3.10 Asset classification 3.11 Workplace security 3.12 Business continuity planning 4. In an organizationwide policy document, the organization should include a section that presents the mission or charter statements for each organization. 5. Standing committees are also presented in this document, and for an information security program to be successful, an Information Security Steering Committee (ISSC) must be established and act as champion for the program. The ISSC is charged with four crucial responsibilities, and these map to current international standards and national laws. 6. There are business reasons for requiring policies, standards, and procedures. 7. All policies must be tied to the business objectives or mission of the enterprise. 8. When you need to write policies, standards, and procedures, you will have an overwhelming desire to start writing. But take the time to determine what needs to be done and how you will do it. Do your research. There are no new policies. Whatever you need to write about, you should be able to find an example that can be used to guide you along in your development. However, avoid the temptation of taking an existing policy and just changing the names. It might work, but the odds that this kind of quick-fix will meet the specific business objectives of your organization are very small.
展开▼
