|
Anyone who has actually written company policies would probably agree that it is far from easy. There's quite an art to developing a form of words that simultaneously describes “the rules” clearly and unambiguously, applies to a variety of situations, and convinces staff to comply with the policy. Furthermore, simply publishing policies is not by itself sufficient to ensure compliance. IsecT can help you prepare a coherent suite of policies to address questions such as these:
-
Which IT and/or information security issues do we need to cover?
-
What are the key overarching security principles or axioms in our situation?
-
What about the more detailed policies, standards, guidelines and all that - what do we actually need ... and what do these titles mean anyway?
-
How do compliance imperatives from standards like ISO/IEC 27002 and obligations from legislation such as Privacy/Data Protection, SOX, HIPAA, PIPEDA, copyright, FISMA and FoIA, industry regulations such as NERC CIP 002 and contractual mandates, relate to our internal policies and practices?
-
To whom should our information security policies apply? How and to what extent should we cover third parties such as suppliers, contractors, partners and customers?
-
Should management “approve” them, and if so who and how, exactly?
-
What’s the best way to publish and promote policies and related materials to our employees?
-
What can we do to achieve and manage compliance most effectively?
-
What’s the best way to manage and control future changes to the policies etc.?
-
Who should be accountable and responsible for information security, and how should we structure the function in relation to other functions such as risk management, physical security, compliance, legal and HR?
Drawing on our own experience, coupled with internationally recognised good practices from ISO27k and elsewhere, IsecT can help you scope and design an overall structural framework for your information security policies, populate it with high quality, plain English documents of various types, and then promulgate and promote compliance through the associated implementation/publication, awareness and training activities.
Contact IsecT if you need a high level information security policy supported by a comprehensive information security policy manual. Our model policy manual reflects the current version of international standard ISO/IEC 27002 and is available to purchase now. It comprises the most formal parts of a typical policy structure with 7 high level guiding principles, 39 axioms, an extensive hyperlinked glossary of information security terms and, most importantly, more than 100 pages of detailed policy statements reflecting state of the art information security practices. We can also help you create the supporting information security standards, guidelines and procedures to complete your security documentation set.
In conjunction with senior corporate management, IT management and various functions such as information security, HR and physical security, our related information security awareness service goes beyond simply delivering the documents and intranet web pages to helping you implement them throughout your organization. Call us to find out more.
|
