 |
|
How to Develop Information Security PolicyTom Peltier In this seminar we will examine why information security policies are necessary, and how they fit into all facets of the organization. The development of information security policies is not solely an IT or audit responsibility, but rather an enterprise function that requires input from the business units and implementation of policies that reflect the business needs and mission of the enterprise. The concept of information security should permeate all of the organization's policies. Day 1
GETTING STARTED — We will begin with a discussion of 12 organization-wide policies and the minimum content each should have with reference to information security. The polices that we will discuss are highlevel (Tier 1) organization-wide policies and include the following:
POLICY STATEMENT DEVELOPMENT - A policy is a high-level statement of the enterprise's beliefs, goals, and objectives for a specified subject area, and the foundation for their attainment. Attendees will be given the mechanics needed to create a policy and will then critique and edit a draft information security policy. Day 2ESTABLISHING REVIEW TEAMS - Every document that is published must be reviewed for form and content. We will examine the methods used to get the document you create reviewed and ready for publication. We will examine the concept of a 'core team' and a 'support team'. We will show how to ensure the readability of your document and identify pitfalls to avoid. CREATING SUPPORTING POLICIES - Three types of policies will be used at different times in your information security program and throughout the organization to support the business process or mission:
|
