NAC, ID 2.0 and Other Top Issues
May 14, 2008, Washington, D.C.
Register now at no charge.
MEMBER LOGIN: PASSWORD:
Log-in Questions? Forgot/Change Password
 
 
The CSI View
Conferences & Events
Awareness & Training
Membership
About CSI
 
 

Demystifying Policy Development

Speaker: Thomas Peltier
President
Peltier and Associates

Presentation Overview:

In this seminar we will discuss the processes needed to implement policies. We'll show you how to create a communication plan, incorporating the elements of an employee awareness plan, that targets staff, contractors, third-party users, service providers and business partners. We will examine the three major types of policies used by business, industry and government agencies and examine current examples of each. Attendees will become familiar with the components of each policy type, use this knowledge to edit existing examples and develop a draft policy statement. We will use current industry standards (NIST and ISO 17799) as the basis for policy components and content. We will also review current legal and regulatory requirements to ensure policy content meets identified provisions. At the end of this two-day session attendees will have written three draft policies.

Time-Based Objectives:

Day One
    Key Objectives:
  • Create an information security policy
  • Identify the Tier 1, 2 and 3 policies
  • Establish a supporting review team
  • How to address regulatory and legal requirements

    You Will Leave With:

  • A draft information security policy
  • The ability to identify a good policy statement
  • The skills to write any InfoSec policy

    •  

Getting started — We will begin with a discussion of the policy hierarchy and how each type of policy supports management’s goals and objectives. We will review and give examples of twelve organization-wide (Global or Tier 1) policies that every organization should have. Information security policy development — Using current industry best practices and standards as a reference, we will identify the key items that should be included in an information security policy statement. We will address the enterprise’s definition of information security, management’s intentions, regulatory requirements and the process for reporting security incidents. Policy critiquing, editing and drafting — Once attendees have been exposed to policy components and typical content, we break up into teams and examine, critique and edit existing policies. Each team will draft a policy that meets their needs.

Day Two

Establishing review teams — Every document that is published will have to be reviewed for form and content. We will examine methods for review and readying your document for publication. We will examine the concepts of a “core team” and a “support team.” We will identify pitfalls to avoid and how to ensure the readability of your document. Creating supporting policies — We’ll examine the three tiers of information security policies—global, topic-specific and application-specific—that you’ll need in your organization to support the business missions.

Prerequisites: n/a


 
 
HOME   ABOUT   CONTACT US   Privacy Statement   Copyright © CMP Media LLC