Are your policies and procedures something that sit on a shelf until the auditors and/or regulators ask to see them? Have they become akin to "Shelfware"? As I write this, my colleagues and I are very busy assisting companies with assessing risks, recommending security posture and well yeah, auditing IT controls too.
So what about policies and procedures? Where do they fit? Are they anything more than the product of “give the auditors what they want”? When was the last time or better yet, have you ever had meaningful dialogue around policies and procedures? Just in case you’ve forgotten, policies and procedures provide the framework within which your company operates.
Unfortunately far too many organizations "don 't know what they …show more content…
Many other policies while not required, do help establish a more robust control framework. Simply put, one 's organization can 't afford to be out of compliance. Policy and procedure documentation is often the first item requested (albeit sometimes not the first to be updated), and viewed as the foundation to a well-controlled …show more content…
It 's been my experience that many organizations underestimate the importance of well-planned and well written policies and procedures in their push towards confidentiality, integrity and availability...the ultimate goals of a sound information security framework. Policies and procedures are the critical underpinnings to a sustainable security posture. Specifically, the Information Security Policy, when well defined, is a set of instructions to help guide IT professionals define and enact security controls -including access and authentication methods. It will establish what the organization considers acceptable versus unacceptable behavior. Ultimately, when performed correctly, the exercise of creating the policy and procedure taxonomy, will communicate the tone at that the top to the rest of the organization. This communication will describe the cohesive strategy adopted, between IT and the rest of the organization...also known as aligning IT and the
So what about policies and procedures? Where do they fit? Are they anything more than the product of “give the auditors what they want”? When was the last time or better yet, have you ever had meaningful dialogue around policies and procedures? Just in case you’ve forgotten, policies and procedures provide the framework within which your company operates.
Unfortunately far too many organizations "don 't know what they …show more content…
Many other policies while not required, do help establish a more robust control framework. Simply put, one 's organization can 't afford to be out of compliance. Policy and procedure documentation is often the first item requested (albeit sometimes not the first to be updated), and viewed as the foundation to a well-controlled …show more content…
It 's been my experience that many organizations underestimate the importance of well-planned and well written policies and procedures in their push towards confidentiality, integrity and availability...the ultimate goals of a sound information security framework. Policies and procedures are the critical underpinnings to a sustainable security posture. Specifically, the Information Security Policy, when well defined, is a set of instructions to help guide IT professionals define and enact security controls -including access and authentication methods. It will establish what the organization considers acceptable versus unacceptable behavior. Ultimately, when performed correctly, the exercise of creating the policy and procedure taxonomy, will communicate the tone at that the top to the rest of the organization. This communication will describe the cohesive strategy adopted, between IT and the rest of the organization...also known as aligning IT and the