 |
|
How to Develop Information Security Standards & ProceduresSpeaker:
Thomas Peltier
|
Key Take-Aways:
|
Introduction — We will discuss the common definitions for policy, standard, procedure and guideline. As a team we will determine which definition meets our needs and how to alter the definition to meet the specific need of our organizations. Standards — We’ll explore where to find industry-specific standards and how to apply them to your organization. Procedure style — We’ll examine three of the most popular styles for procedures—narrative, flow chart and playscript— and identify the advantages and disadvantages of each.
Day Two
Procedure table of contents — The table of contents is the section that will be used most often in the procedure document. We will identify the contents that could be part of an information security procedure document and define the terms topic, section and subject. With input from various international standards — ISO 17799: 2005, HIPAA, GLBA, SOX, and NIST — we’ll put the contents of the facilitated session into a logical sequence. Using the ISO 17799, we’ll map security standards to the infrastructure of a typical enterprise, creating a blueprint upon which to build your security program. Techniques on writing procedures — After presenting the do’s and don’ts of procedure writing, we’ll review the actual method for writing procedures effectively. A procedure is a step-by-step process that employees use in completing a task, therefore, its author must possess a clear understanding of the task. We’ll explore methods for enlisting experts in the procedure development process. Gaining support — We will identify key elements in making your document marketable across all management groups as well as to the employees at large.
Prerequisites: n/a
