Sophos updating policy dating instructors
Any existing dissonances in this context may render the information security policy project dysfunctional.
The most important thing that a security professional should remember is that his knowing the security management practices would allow him to incorporate them into the documents he is entrusted to draft, and that is a guarantee for completeness, quality and workability.
Policy refinement takes place simultaneously with defining the administrative control, or authority in other words, people in the organization have.
In essence, it is hierarchy-based delegation of control in which one may have authority over his own work, project manager has authority over project files belonging to a group he is appointed to, and the system administrator has authority solely over system files – a structure reminiscent of the separation of powers doctrine.
Putting to work the logical arguments of rationalization, one could say that a policy can be as broad as the creators want it to be: Basically, everything from A to Z in terms of IT security, and even more.
For that reason, the emphasis here is placed on a few key elements, but you should make a mental note of the liberty of thought organizations have when they forge their own guidelines.
2.3 Information security objectives An organization that strive to compose a working ISP needs to have well-defined objectives concerning security and strategy on which management have reached an agreement.Simplification of policy language is one thing that may smooth away the differences and guarantee consensus among management staff.Consequently, ambiguous expressions are to be avoided.Conversely, a senior manager may have enough authority to make a decision what data can be shared and with whom, which means that they are not tied down by the same information security policy terms.So the logic demands that ISP should address every basic position in the organization with specifications that will clarify their authoritative status.